From c887d9d31d9d201eb5791332ac7311d9c2391b21 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Jun 07 2024 21:02:30 +0000 Subject: Trim changelog so that it starts at F40 time --- diff --git a/changelog b/changelog index 9f7d356..7b37f65 100644 --- a/changelog +++ b/changelog @@ -320,767 +320,3 @@ - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <> - Allow kernel_generic_helper_t to execute mount(1) - -* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 -- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t -- Allow systemd-localed create Xserver config dirs -- Allow sssd read symlinks in /etc/sssd -- Label /dev/gnss[0-9] with gnss_device_t -- Allow systemd-sleep read/write efivarfs variables -- ci: Fix version number of packit generated srpms -- Dontaudit rhsmcertd write memory device -- Allow ssh_agent_type create a sockfile in /run/user/USERID -- Set default file context of /var/lib/authselect/backups to <> -- Allow prosody read network sysctls -- Allow cupsd_t to use bpf capability - -* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 -- Allow sssd domain transition on passkey_child execution conditionally -- Allow login_userdomain watch lnk_files in /usr -- Allow login_userdomain watch video4linux devices -- Change systemd-network-generator transition to include class file -- Revert "Change file transition for systemd-network-generator" -- Allow nm-dispatcher winbind plugin read/write samba var files -- Allow systemd-networkd write to cgroup files -- Allow kdump create and use its memfd: objects - -* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 -- Allow fedora-third-party get generic filesystem attributes -- Allow sssd use usb devices conditionally -- Update policy for qatlib -- Allow ssh_agent_type manage generic cache home files - -* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 -- Change file transition for systemd-network-generator -- Additional support for gnome-initial-setup -- Update gnome-initial-setup policy for geoclue -- Allow openconnect vpn open vhost net device -- Allow cifs.upcall to connect to SSSD also through the /var/run socket -- Grant cifs.upcall more required capabilities -- Allow xenstored map xenfs files -- Update policy for fdo -- Allow keepalived watch var_run dirs -- Allow svirt to rw /dev/udmabuf -- Allow qatlib to modify hardware state information. -- Allow key.dns_resolve connect to avahi over a unix stream socket -- Allow key.dns_resolve create and use unix datagram socket -- Use quay.io as the container image source for CI - -* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 -- ci: Move srpm/rpm build to packit -- .copr: Avoid subshell and changing directory -- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file -- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t -- Make insights_client_t an unconfined domain -- Allow insights-client manage user temporary files -- Allow insights-client create all rpm logs with a correct label -- Allow insights-client manage generic logs -- Allow cloud_init create dhclient var files and init_t manage net_conf_t -- Allow insights-client read and write cluster tmpfs files -- Allow ipsec read nsfs files -- Make tuned work with mls policy -- Remove nsplugin_role from mozilla.if -- allow mon_procd_t self:cap_userns sys_ptrace -- Allow pdns name_bind and name_connect all ports -- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh -- ci: Move to actions/checkout@v3 version -- .copr: Replace chown call with standard workflow safe.directory setting -- .copr: Enable `set -u` for robustness -- .copr: Simplify root directory variable - -* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 -- Allow rhsmcertd dbus chat with policykit -- Allow polkitd execute pkla-check-authorization with nnp transition -- Allow user_u and staff_u get attributes of non-security dirs -- Allow unconfined user filetrans chrome_sandbox_home_t -- Allow svnserve execute postdrop with a transition -- Do not make postfix_postdrop_t type an MTA executable file -- Allow samba-dcerpc service manage samba tmp files -- Add use_nfs_home_dirs boolean for mozilla_plugin -- Fix labeling for no-stub-resolv.conf - -* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 -- Revert "Allow winbind-rpcd use its private tmp files" -- Allow upsmon execute upsmon via a helper script -- Allow openconnect vpn read/write inherited vhost net device -- Allow winbind-rpcd use its private tmp files -- Update samba-dcerpc policy for printing -- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty -- Allow nscd watch system db dirs -- Allow qatlib to read sssd public files -- Allow fedora-third-party read /sys and proc -- Allow systemd-gpt-generator mount a tmpfs filesystem -- Allow journald write to cgroup files -- Allow rpc.mountd read network sysctls -- Allow blueman read the contents of the sysfs filesystem -- Allow logrotate_t to map generic files in /etc -- Boolean: Allow virt_qemu_ga create ssh directory - -* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 -- Allow systemd-network-generator send system log messages -- Dontaudit the execute permission on sock_file globally -- Allow fsadm_t the file mounton permission -- Allow named and ndc the io_uring sqpoll permission -- Allow sssd io_uring sqpoll permission -- Fix location for /run/nsd -- Allow qemu-ga get fixed disk devices attributes -- Update bitlbee policy -- Label /usr/sbin/sos with sosreport_exec_t -- Update policy for the sblim-sfcb service -- Add the files_getattr_non_auth_dirs() interface -- Fix the CI to work with DNF5 - -* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 -- Make systemd_tmpfiles_t MLS trusted for lowering the level of files -- Revert "Allow insights client map cache_home_t" -- Allow nfsidmapd connect to systemd-machined over a unix socket -- Allow snapperd connect to kernel over a unix domain stream socket -- Allow virt_qemu_ga_t create .ssh dir with correct label -- Allow targetd read network sysctls -- Set the abrt_handle_event boolean to on -- Permit kernel_t to change the user identity in object contexts -- Allow insights client map cache_home_t -- Label /usr/sbin/mariadbd with mysqld_exec_t -- Trim changelog so that it starts at F37 time -- Define equivalency for /run/systemd/generator.early - -* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 -- Allow httpd tcp connect to redis port conditionally -- Label only /usr/sbin/ripd and ripngd with zebra_exec_t -- Dontaudit aide the execmem permission -- Remove permissive from fdo -- Allow sa-update manage spamc home files -- Allow sa-update connect to systemlog services -- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t -- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t -- Allow bootupd search EFI directory - -* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 -- Change init_audit_control default value to true -- Allow nfsidmapd connect to systemd-userdbd with a unix socket -- Add the qatlib module -- Add the fdo module -- Add the bootupd module -- Set default ports for keylime policy -- Create policy for qatlib -- Add policy for FIDO Device Onboard -- Add policy for bootupd -- Add the qatlib module -- Add the fdo module -- Add the bootupd module - -* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 -- Add support for kafs-dns requested by keyutils -- Allow insights-client execmem -- Add support for chronyd-restricted -- Add init_explicit_domain() interface -- Allow fsadm_t to get attributes of cgroup filesystems -- Add list_dir_perms to kerberos_read_keytab -- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t -- Allow sendmail manage its runtime files -- Allow keyutils_dns_resolver_exec_t be an entrypoint -- Allow collectd_t read network state symlinks -- Revert "Allow collectd_t read proc_net link files" -- Allow nfsd_t to list exports_t dirs -- Allow cupsd dbus chat with xdm -- Allow haproxy read hardware state information -- Add the kafs module - -* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 -- Label /dev/userfaultfd with userfaultfd_t -- Allow blueman send general signals to unprivileged user domains -- Allow dkim-milter domain transition to sendmail -- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t -- Allow cifs-helper read sssd kerberos configuration files -- Allow rpm_t sys_admin capability -- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file -- Allow collectd_t read proc_net link files -- Allow insights-client getsession process permission -- Allow insights-client work with pipe and socket tmp files -- Allow insights-client map generic log files -- Update cyrus_stream_connect() to use sockets in /run -- Allow keyutils-dns-resolver read/view kernel key ring -- Label /var/log/kdump.log with kdump_log_t - -* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 -- Add support for the systemd-pstore service -- Allow kdumpctl_t to execmem -- Update sendmail policy module for opensmtpd -- Allow nagios-mail-plugin exec postfix master -- Allow subscription-manager execute ip -- Allow ssh client connect with a user dbus instance -- Add support for ksshaskpass -- Allow rhsmcertd file transition in /run also for socket files -- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t -- Allow plymouthd read/write X server miscellaneous devices -- Allow systemd-sleep read udev pid files -- Allow exim read network sysctls -- Allow sendmail request load module -- Allow named map its conf files -- Allow squid map its cache files -- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition - -* Tue May 30 2023 Zdenek Pytela - 38.15-1 -- Update policy for systemd-sleep -- Remove permissive domain for rshim_t -- Remove permissive domain for mptcpd_t -- Allow systemd-bootchartd the sys_ptrace userns capability -- Allow sysadm_t read nsfs files -- Allow sysadm_t run kernel bpf programs -- Update ssh_role_template for ssh-agent -- Update ssh_role_template to allow read/write unallocated ttys -- Add the booth module to modules.conf -- Allow firewalld rw ica_tmpfs_t files - -* Fri May 26 2023 Zdenek Pytela - 38.14-1 -- Remove permissive domain for cifs_helper_t -- Update the cifs-helper policy -- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() -- Update pkcsslotd policy for sandboxing -- Allow abrt_t read kernel persistent storage files -- Dontaudit targetd search httpd config dirs -- Allow init_t nnp domain transition to policykit_t -- Allow rpcd_lsad setcap and use generic ptys -- Allow samba-dcerpcd connect to systemd_machined over a unix socket -- Allow wireguard to rw network sysctls -- Add policy for boothd -- Allow kernel to manage its own BPF objects -- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t - -* Mon May 22 2023 Zdenek Pytela - 38.13-1 -- Add initial policy for cifs-helper -- Label key.dns_resolver with keyutils_dns_resolver_exec_t -- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t -- Allow some systemd services write to cgroup files -- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files -- Allow systemd resolved to bind to arbitrary nodes -- Allow plymouthd_t bpf capability to run bpf programs -- Allow cupsd to create samba_var_t files -- Allow rhsmcert request the kernel to load a module -- Allow virsh name_connect virt_port_t -- Allow certmonger manage cluster library files -- Allow plymouthd read init process state -- Add chromium_sandbox_t setcap capability -- Allow snmpd read raw disk data -- Allow samba-rpcd work with passwords -- Allow unconfined service inherit signal state from init -- Allow cloud-init manage gpg admin home content -- Allow cluster_t dbus chat with various services -- Allow nfsidmapd work with systemd-userdbd and sssd -- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes -- Allow plymouthd map dri and framebuffer devices -- Allow rpmdb_migrate execute rpmdb -- Allow logrotate dbus chat with systemd-hostnamed -- Allow icecast connect to kernel using a unix stream socket -- Allow lldpad connect to systemd-userdbd over a unix socket -- Allow journalctl open user domain ptys and ttys -- Allow keepalived to manage its tmp files -- Allow ftpd read network sysctls -- Label /run/bgpd with zebra_var_run_t -- Allow gssproxy read network sysctls -- Add the cifsutils module - -* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 -- Allow telnetd read network sysctls -- Allow munin system plugin read generic SSL certificates -- Allow munin system plugin create and use netlink generic socket -- Allow login_userdomain create user namespaces -- Allow request-key to send syslog messages -- Allow request-key to read/view any key -- Add fs_delete_pstore_files() interface -- Allow insights-client work with teamdctl -- Allow insights-client read unconfined service semaphores -- Allow insights-client get quotas of all filesystems -- Add fs_read_pstore_files() interface -- Allow generic kernel helper to read inherited kernel pipes - -* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 -- Allow dovecot-deliver write to the main process runtime fifo files -- Allow dmidecode write to cloud-init tmp files -- Allow chronyd send a message to cloud-init over a datagram socket -- Allow cloud-init domain transition to insights-client domain -- Allow mongodb read filesystem sysctls -- Allow mongodb read network sysctls -- Allow accounts-daemon read generic systemd unit lnk files -- Allow blueman watch generic device dirs -- Allow nm-dispatcher tlp plugin create tlp dirs -- Allow systemd-coredump mounton /usr -- Allow rabbitmq to read network sysctls - -* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 -- Allow certmonger dbus chat with the cron system domain -- Allow geoclue read network sysctls -- Allow geoclue watch the /etc directory -- Allow logwatch_mail_t read network sysctls -- Allow insights-client read all sysctls -- Allow passt manage qemu pid sock files - -* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 -- Allow sssd read accountsd fifo files -- Add support for the passt_t domain -- Allow virtd_t and svirt_t work with passt -- Add new interfaces in the virt module -- Add passt interfaces defined conditionally -- Allow tshark the setsched capability -- Allow poweroff create connections to system dbus -- Allow wg load kernel modules, search debugfs dir -- Boolean: allow qemu-ga manage ssh home directory -- Label smtpd with sendmail_exec_t -- Label msmtp and msmtpd with sendmail_exec_t -- Allow dovecot to map files in /var/spool/dovecot - -* Fri Mar 03 2023 Zdenek Pytela - 38.8-1 -- Confine gnome-initial-setup -- Allow qemu-guest-agent create and use vsock socket -- Allow login_pgm setcap permission -- Allow chronyc read network sysctls -- Enhancement of the /usr/sbin/request-key helper policy -- Fix opencryptoki file names in /dev/shm -- Allow system_cronjob_t transition to rpm_script_t -- Revert "Allow system_cronjob_t domtrans to rpm_script_t" -- Add tunable to allow squid bind snmp port -- Allow staff_t getattr init pid chr & blk files and read krb5 -- Allow firewalld to rw z90crypt device -- Allow httpd work with tokens in /dev/shm -- Allow svirt to map svirt_image_t char files -- Allow sysadm_t run initrc_t script and sysadm_r role access -- Allow insights-client manage fsadm pid files - -* Wed Feb 08 2023 Zdenek Pytela - 38.7-1 -- Allowing snapper to create snapshots of /home/ subvolume/partition -- Add boolean qemu-ga to run unconfined script -- Label systemd-journald feature LogNamespace -- Add none file context for polyinstantiated tmp dirs -- Allow certmonger read the contents of the sysfs filesystem -- Add journalctl the sys_resource capability -- Allow nm-dispatcher plugins read generic files in /proc -- Add initial policy for the /usr/sbin/request-key helper -- Additional support for rpmdb_migrate -- Add the keyutils module - -* Mon Jan 30 2023 Zdenek Pytela - 38.6-1 -- Boolean: allow qemu-ga read ssh home directory -- Allow kernel_t to read/write all sockets -- Allow kernel_t to UNIX-stream connect to all domains -- Allow systemd-resolved send a datagram to journald -- Allow kernel_t to manage and have "execute" access to all files -- Fix the files_manage_all_files() interface -- Allow rshim bpf cap2 and read sssd public files -- Allow insights-client work with su and lpstat -- Allow insights-client tcp connect to all ports -- Allow nm-cloud-setup dispatcher plugin restart nm services -- Allow unconfined user filetransition for sudo log files -- Allow modemmanager create hardware state information files -- Allow ModemManager all permissions for netlink route socket -- Allow wg to send msg to kernel, write to syslog and dbus connections -- Allow hostname_t to read network sysctls. -- Dontaudit ftpd the execmem permission -- Allow svirt request the kernel to load a module -- Allow icecast rename its log files -- Allow upsd to send signal to itself -- Allow wireguard to create udp sockets and read net_conf -- Use '%autosetup' instead of '%setup' -- Pass -p 1 to '%autosetup' - -* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Zdenek Pytela - 38.5-1 -- Allow insights client work with gluster and pcp -- Add insights additional capabilities -- Add interfaces in domain, files, and unconfined modules -- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t -- Allow sudodomain use sudo.log as a logfile -- Allow pdns server map its library files and bind to unreserved ports -- Allow sysadm_t read/write ipmi devices -- Allow prosody manage its runtime socket files -- Allow kernel threads manage kernel keys -- Allow systemd-userdbd the sys_resource capability -- Allow systemd-journal list cgroup directories -- Allow apcupsd dbus chat with systemd-logind -- Allow nut_domain manage also files and sock_files in /var/run -- Allow winbind-rpcd make a TCP connection to the ldap port -- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t -- Allow tlp read generic SSL certificates -- Allow systemd-resolved watch tmpfs directories -- Revert "Allow systemd-resolved watch tmpfs directories" - -* Mon Dec 19 2022 Zdenek Pytela - 38.4-1 -- Allow NetworkManager and wpa_supplicant the bpf capability -- Allow systemd-rfkill the bpf capability -- Allow winbind-rpcd manage samba_share_t files and dirs -- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t -- Allow gpsd the sys_ptrace userns capability -- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t -- Allow load_policy_t write to unallocated ttys -- Allow ndc read hardware state information -- Allow system mail service read inherited certmonger runtime files -- Add lpr_roles to system_r roles -- Revert "Allow insights-client run lpr and allow the proper role" -- Allow stalld to read /sys/kernel/security/lockdown file -- Allow keepalived to set resource limits -- Add policy for mptcpd -- Add policy for rshim -- Allow admin users to create user namespaces -- Allow journalctl relabel with var_log_t and syslogd_var_run_t files -- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted -- Trim changelog so that it starts at F35 time -- Add mptcpd and rshim modules - -* Wed Dec 14 2022 Zdenek Pytela - 38.3-1 -- Allow insights-client dbus chat with various services -- Allow insights-client tcp connect to various ports -- Allow insights-client run lpr and allow the proper role -- Allow insights-client work with pcp and manage user config files -- Allow redis get user names -- Allow kernel threads to use fds from all domains -- Allow systemd-modules-load load kernel modules -- Allow login_userdomain watch systemd-passwd pid dirs -- Allow insights-client dbus chat with abrt -- Grant kernel_t certain permissions in the system class -- Allow systemd-resolved watch tmpfs directories -- Allow systemd-timedated watch init runtime dir -- Make `bootc` be `install_exec_t` -- Allow systemd-coredump create user_namespace -- Allow syslog the setpcap capability -- donaudit virtlogd and dnsmasq execmem - -* Tue Dec 06 2022 Zdenek Pytela - 38.2-1 -- Don't make kernel_t an unconfined domain -- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition -- Allow kernel_t to execute systemctl to do a poweroff/reboot -- Grant basic permissions to the domain created by systemd_systemctl_domain() -- Allow kernel_t to request module loading -- Allow kernel_t to do compute_create -- Allow kernel_t to manage perf events -- Grant almost all capabilities to kernel_t -- Allow kernel_t to fully manage all devices -- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" -- Allow pulseaudio to write to session_dbusd tmp socket files -- Allow systemd and unconfined_domain_type create user_namespace -- Add the user_namespace security class -- Reuse tmpfs_t also for the ramfs filesystem -- Label udf tools with fsadm_exec_t -- Allow networkmanager_dispatcher_plugin work with nscd -- Watch_sb all file type directories. -- Allow spamc read hardware state information files -- Allow sysadm read ipmi devices -- Allow insights client communicate with cupsd, mysqld, openvswitch, redis -- Allow insights client read raw memory devices -- Allow the spamd_update_t domain get generic filesystem attributes -- Dontaudit systemd-gpt-generator the sys_admin capability -- Allow ipsec_t only read tpm devices -- Allow cups-pdf connect to the system log service -- Allow postfix/smtpd read kerberos key table -- Allow syslogd read network sysctls -- Allow cdcc mmap dcc-client-map files -- Add watch and watch_sb dosfs interface - -* Mon Nov 21 2022 Zdenek Pytela - 38.1-1 -- Revert "Allow sysadm_t read raw memory devices" -- Allow systemd-socket-proxyd get attributes of cgroup filesystems -- Allow rpc.gssd read network sysctls -- Allow winbind-rpcd get attributes of device and pty filesystems -- Allow insights-client domain transition on semanage execution -- Allow insights-client create gluster log dir with a transition -- Allow insights-client manage generic locks -- Allow insights-client unix_read all domain semaphores -- Add domain_unix_read_all_semaphores() interface -- Allow winbind-rpcd use the terminal multiplexor -- Allow mrtg send mails -- Allow systemd-hostnamed dbus chat with init scripts -- Allow sssd dbus chat with system cronjobs -- Add interface to watch all filesystems -- Add watch_sb interfaces -- Add watch interfaces -- Allow dhcpd bpf capability to run bpf programs -- Allow netutils and traceroute bpf capability to run bpf programs -- Allow pkcs_slotd_t bpf capability to run bpf programs -- Allow xdm bpf capability to run bpf programs -- Allow pcscd bpf capability to run bpf programs -- Allow lldpad bpf capability to run bpf programs -- Allow keepalived bpf capability to run bpf programs -- Allow ipsec bpf capability to run bpf programs -- Allow fprintd bpf capability to run bpf programs -- Allow systemd-socket-proxyd get filesystems attributes -- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files - -* Mon Oct 31 2022 Zdenek Pytela - 37.14-1 -- Allow rotatelogs read httpd_log_t symlinks -- Add winbind-rpcd to samba_enable_home_dirs boolean -- Allow system cronjobs dbus chat with setroubleshoot -- Allow setroubleshootd read device sysctls -- Allow virt_domain read device sysctls -- Allow rhcd compute selinux access vector -- Allow insights-client manage samba var dirs -- Label ports 10161-10162 tcp/udp with snmp -- Allow aide to connect to systemd_machined with a unix socket. -- Allow samba-dcerpcd use NSCD services over a unix stream socket -- Allow vlock search the contents of the /dev/pts directory -- Allow insights-client send null signal to rpm and system cronjob -- Label port 15354/tcp and 15354/udp with opendnssec -- Allow ftpd map ftpd_var_run files -- Allow targetclid to manage tmp files -- Allow insights-client connect to postgresql with a unix socket -- Allow insights-client domtrans on unix_chkpwd execution -- Add file context entries for insights-client and rhc -- Allow pulseaudio create gnome content (~/.config) -- Allow login_userdomain dbus chat with rhsmcertd -- Allow sbd the sys_ptrace capability -- Allow ptp4l_t name_bind ptp_event_port_t - -* Mon Oct 03 2022 Zdenek Pytela - 37.13-1 -- Remove the ipa module -- Allow sss daemons read/write unnamed pipes of cloud-init -- Allow postfix_mailqueue create and use unix dgram sockets -- Allow xdm watch user home directories -- Allow nm-dispatcher ddclient plugin load a kernel module -- Stop ignoring standalone interface files -- Drop cockpit module -- Allow init map its private tmp files -- Allow xenstored change its hard resource limits -- Allow system_mail-t read network sysctls -- Add bgpd sys_chroot capability - -* Thu Sep 22 2022 Zdenek Pytela - 37.12-1 -- nut-upsd: kernel_read_system_state, fs_getattr_cgroup -- Add numad the ipc_owner capability -- Allow gst-plugin-scanner read virtual memory sysctls -- Allow init read/write inherited user fifo files -- Update dnssec-trigger policy: setsched, module_request -- added policy for systemd-socket-proxyd -- Add the new 'cmd' permission to the 'io_uring' class -- Allow winbind-rpcd read and write its key ring -- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t -- blueman-mechanism can read ~/.local/lib/python*/site-packages directory -- pidof executed by abrt can readlink /proc/*/exe -- Fix typo in comment -- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum - -* Wed Sep 14 2022 Zdenek Pytela - 37.11-1 -- Allow tor get filesystem attributes -- Allow utempter append to login_userdomain stream -- Allow login_userdomain accept a stream connection to XDM -- Allow login_userdomain write to boltd named pipes -- Allow staff_u and user_u users write to bolt pipe -- Allow login_userdomain watch various directories -- Update rhcd policy for executing additional commands 5 -- Update rhcd policy for executing additional commands 4 -- Allow rhcd create rpm hawkey logs with correct label -- Allow systemd-gpt-auto-generator to check for empty dirs -- Update rhcd policy for executing additional commands 3 -- Allow journalctl read rhcd fifo files -- Update insights-client policy for additional commands execution 5 -- Allow init remount all file_type filesystems -- Confine insights-client systemd unit -- Update insights-client policy for additional commands execution 4 -- Allow pcp pmcd search tracefs and acct_data dirs -- Allow httpd read network sysctls -- Dontaudit domain map permission on directories -- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" -- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" -- Update insights-client policy for additional commands execution 3 -- Allow systemd permissions needed for sandboxed services -- Add rhcd module -- Make dependency on rpm-plugin-selinux unordered - -* Fri Sep 02 2022 Zdenek Pytela - 37.10-1 -- Allow ipsec_t read/write tpm devices -- Allow rhcd execute all executables -- Update rhcd policy for executing additional commands 2 -- Update insights-client policy for additional commands execution 2 -- Allow sysadm_t read raw memory devices -- Allow chronyd send and receive chronyd/ntp client packets -- Allow ssh client read kerberos homedir config files -- Label /var/log/rhc-worker-playbook with rhcd_var_log_t -- Update insights-client policy (auditctl, gpg, journal) -- Allow system_cronjob_t domtrans to rpm_script_t -- Allow smbd_t process noatsecure permission for winbind_rpcd_t -- Update tor_bind_all_unreserved_ports interface -- Allow chronyd bind UDP sockets to ptp_event ports. -- Allow unconfined and sysadm users transition for /root/.gnupg -- Add gpg_filetrans_admin_home_content() interface -- Update rhcd policy for executing additional commands -- Update insights-client policy for additional commands execution -- Add userdom_view_all_users_keys() interface -- Allow gpg read and write generic pty type -- Allow chronyc read and write generic pty type -- Allow system_dbusd ioctl kernel with a unix stream sockets -- Allow samba-bgqd to read a printer list -- Allow stalld get and set scheduling policy of all domains. -- Allow unconfined_t transition to targetclid_home_t - -* Thu Aug 11 2022 Zdenek Pytela - 37.9-1 -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher sendmail plugin get status of systemd services -- Allow xdm read the kernel key ring -- Allow login_userdomain check status of mount units -- Allow postfix/smtp and postfix/virtual read kerberos key table -- Allow services execute systemd-notify -- Do not allow login_userdomain use sd_notify() -- Allow launch-xenstored read filesystem sysctls -- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd -- Allow openvswitch fsetid capability -- Allow openvswitch use its private tmpfs files and dirs -- Allow openvswitch search tracefs dirs -- Allow pmdalinux read files on an nfsd filesystem -- Allow winbind-rpcd write to winbind pid files -- Allow networkmanager to signal unconfined process -- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t -- Allow samba-bgqd get a printer list -- fix(init.fc): Fix section description -- Allow fedora-third-party read the passwords file -- Remove permissive domain for rhcd_t -- Allow pmie read network state information and network sysctls -- Revert "Dontaudit domain the fowner capability" -- Allow sysadm_t to run bpftool on the userdomain attribute -- Add the userdom_prog_run_bpf_userdomain() interface -- Allow insights-client rpm named file transitions -- Add /var/tmp/insights-archive to insights_client_filetrans_named_content - -* Mon Aug 01 2022 Zdenek Pytela - 37.8-1 -- Allow sa-update to get init status and start systemd files -- Use insights_client_filetrans_named_content -- Make default file context match with named transitions -- Allow nm-dispatcher tlp plugin send system log messages -- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket -- Add permissions to manage lnk_files into gnome_manage_home_config -- Allow rhsmcertd to read insights config files -- Label /etc/insights-client/machine-id -- fix(devices.fc): Replace single quote in comment to solve parsing issues -- Make NetworkManager_dispatcher_custom_t an unconfined domain - -* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jul 14 2022 Zdenek Pytela - 37.7-1 -- Update winbind_rpcd_t -- Allow some domains use sd_notify() -- Revert "Allow rabbitmq to use systemd notify" -- fix(sedoctool.py): Fix syntax warning: "is not" with a literal -- Allow nm-dispatcher console plugin manage etc files -- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs -- Allow nm-dispatcher console plugin setfscreate -- Support using systemd-update-helper in rpm scriptlets -- Allow nm-dispatcher winbind plugin read samba config files -- Allow domain use userfaultfd over all domains -- Allow cups-lpd read network sysctls - -* Wed Jun 29 2022 Zdenek Pytela - 37.6-1 -- Allow stalld set scheduling policy of kernel threads -- Allow targetclid read /var/target files -- Allow targetclid read generic SSL certificates (fixed) -- Allow firewalld read the contents of the sysfs filesystem -- Fix file context pattern for /var/target -- Use insights_client_etc_t in insights_search_config() -- Allow nm-dispatcher ddclient plugin handle systemd services -- Allow nm-dispatcher winbind plugin run smbcontrol -- Allow nm-dispatcher custom plugin create and use unix dgram socket -- Update samba-dcerpcd policy for kerberos usage 2 -- Allow keepalived read the contents of the sysfs filesystem -- Allow amandad read network sysctls -- Allow cups-lpd read network sysctls -- Allow kpropd read network sysctls -- Update insights_client_filetrans_named_content() -- Allow rabbitmq to use systemd notify -- Label /var/target with targetd_var_t -- Allow targetclid read generic SSL certificates -- Update rhcd policy -- Allow rhcd search insights configuration directories -- Add the kernel_read_proc_files() interface -- Require policycoreutils >= 3.4-1 -- Add a script for enclosing interfaces in ifndef statements -- Disable rpm verification on interface_info - -* Wed Jun 22 2022 Zdenek Pytela - 37.5-1 -- Allow transition to insights_client named content -- Add the insights_client_filetrans_named_content() interface -- Update policy for insights-client to run additional commands 3 -- Allow dhclient manage pid files used by chronyd -- Allow stalld get scheduling policy of kernel threads -- Allow samba-dcerpcd work with sssd -- Allow dlm_controld send a null signal to a cluster daemon -- Allow ksmctl create hardware state information files -- Allow winbind_rpcd_t connect to self over a unix_stream_socket -- Update samba-dcerpcd policy for kerberos usage -- Allow insights-client execute its private memfd: objects -- Update policy for insights-client to run additional commands 2 -- Use insights_client_tmp_t instead of insights_client_var_tmp_t -- Change space indentation to tab in insights-client -- Use socket permissions sets in insights-client -- Update policy for insights-client to run additional commands -- Change rpm_setattr_db_files() to use a pattern -- Allow init_t to rw insights_client unnamed pipe -- Add rpm setattr db files macro -- Fix insights client -- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling -- Allow rabbitmq to access its private memfd: objects -- Update policy for samba-dcerpcd -- Allow stalld setsched and sys_nice - -* Tue Jun 07 2022 Zdenek Pytela - 37.4-1 -- Allow auditd_t noatsecure for a transition to audisp_remote_t -- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket -- Allow pcp_domain execute its private memfd: objects -- Add support for samba-dcerpcd -- Add policy for wireguard -- Confine targetcli -- Allow systemd work with install_t unix stream sockets -- Allow iscsid the sys_ptrace userns capability -- Allow xdm connect to unconfined_service_t over a unix stream socket - -* Fri May 27 2022 Zdenek Pytela - 37.3-1 -- Allow nm-dispatcher custom plugin execute systemctl -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher custom plugin create and use udp socket -- Allow nm-dispatcher custom plugin create and use netlink_route_socket -- Use create_netlink_socket_perms in netlink_route_socket class permissions -- Add support for nm-dispatcher sendmail scripts -- Allow sslh net_admin capability -- Allow insights-client manage gpg admin home content -- Add the gpg_manage_admin_home_content() interface -- Allow rhsmcertd create generic log files -- Update logging_create_generic_logs() to use create_files_pattern() -- Label /var/cache/insights with insights_client_cache_t -- Allow insights-client search gconf homedir -- Allow insights-client create and use unix_dgram_socket -- Allow blueman execute its private memfd: files -- Move the chown call into make-srpm.sh - -* Fri May 06 2022 Zdenek Pytela - 37.2-1 -- Use the networkmanager_dispatcher_plugin attribute in allow rules -- Make a custom nm-dispatcher plugin transition -- Label port 4784/tcp and 4784/udp with bfd_multi -- Allow systemd watch and watch_reads user ptys -- Allow sblim-gatherd the kill capability -- Label more vdsm utils with virtd_exec_t -- Add ksm service to ksmtuned -- Add rhcd policy -- Dontaudit guest attempts to dbus chat with systemd domains -- Dontaudit guest attempts to dbus chat with system bus types -- Use a named transition in systemd_hwdb_manage_config() -- Add default fc specifications for patterns in /opt -- Add the files_create_etc_files() interface -- Allow nm-dispatcher console plugin create and write files in /etc -- Allow nm-dispatcher console plugin transition to the setfiles domain -- Allow more nm-dispatcher plugins append to init stream sockets -- Allow nm-dispatcher tlp plugin dbus chat with nm -- Reorder networkmanager_dispatcher_plugin_template() calls -- Allow svirt connectto virtlogd -- Allow blueman map its private memfd: files -- Allow sysadm user execute init scripts with a transition -- Allow sblim-sfcbd connect to sblim-reposd stream -- Allow keepalived_unconfined_script_t dbus chat with init -- Run restorecon with "-i" not to report errors - -* Mon May 02 2022 Zdenek Pytela - 37.1-1 -- Fix users for SELinux userspace 3.4 -- Label /var/run/machine-id as machineid_t -- Add stalld to modules.conf -- Use files_tmpfs_file() for rhsmcertd_tmpfs_t -- Allow blueman read/write its private memfd: objects -- Allow insights-client read rhnsd config files -- Allow insights-client create_socket_perms for tcp/udp sockets