Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

selinux-policy-sandbox-41.26-2.fc42 RPM for noarch

From Fedora Rawhide for s390x / s

Name: selinux-policy-sandbox Distribution: Fedora Project
Version: 41.26 Vendor: Fedora Project
Release: 2.fc42 Build date: Mon Dec 2 13:37:01 2024
Group: Unspecified Build host: buildvm-a64-18.iad2.fedoraproject.org
Size: 87393 Source RPM: selinux-policy-41.26-2.fc42.src.rpm
Packager: Fedora Project
Url: https://github.com/fedora-selinux/selinux-policy
Summary: SELinux sandbox policy
SELinux sandbox policy for use with the sandbox utility.

Provides

Requires

License

GPL-2.0-or-later

Changelog

* Mon Dec 02 2024 Petr Lautrbach <[email protected]> - 41.26-2
  - Rebuild with SELinux Userspace 3.8
* Tue Nov 19 2024 Zdenek Pytela <[email protected]> - 41.26-1
  - [5/5][sync from 'mysql-selinux'] Add mariadb-backup
  - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock'
  - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2
  - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705
  - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname'
  - Allow systemd-networkd read mount pid files
  - Update policy for samba-bgqd
  - Allow chronyd read networkmanager's pid files
  - Allow staff user connect to generic tcp ports
  - Allow gnome-remote-desktop dbus chat with policykit
  - Allow tlp the setpgid process permission
  - Update the bootupd policy
  - Allow sysadm_t use the io_uring API
  - Allow sysadm user dbus chat with virt-dbus
  - Allow virtqemud_t read virsh_t files
  - Allow virt_dbus_t connect to virtd_t over a unix stream socket
  - Allow systemd-tpm2-generator read hardware state information
  - Allow coreos-installer-generator execute generic programs
  - Allow coreos-installer domain transition on udev execution
  - Revert "Allow unconfined_t execute kmod in the kmod domain"
  - Allow iio-sensor-proxy create and use unix dgram socket
  - Allow virtstoraged read vm sysctls
  - Support ssh connections via systemd-ssh-generator
  - Label all semanage store files in /etc as semanage_store_t
  - Add file transition for nvidia-modeset
* Fri Oct 25 2024 Zdenek Pytela <[email protected]> - 41.25-1
  - Allow dirsrv-snmp map dirsv_tmpfs_t files
  - Label /usr/lib/node_modules_22/npm/bin with bin_t
  - Add policy for /usr/libexec/samba/samba-bgqd
  - Allow gnome-remote-desktop watch /etc directory
  - Allow rpcd read network sysctls
  - Allow journalctl connect to systemd-userdbd over a unix socket
  - Allow some confined users send to lldpad over a unix dgram socket
  - Allow lldpad send to unconfined_t over a unix dgram socket
  - Allow lldpd connect to systemd-machined over a unix socket
  - Confine the ktls service
* Wed Oct 23 2024 Zdenek Pytela <[email protected]> - 41.24-1
  - Allow dirsrv read network sysctls
  - Label /run/sssd with sssd_var_run_t
  - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
  - Allow unconfined_t execute kmod in the kmod domain
  - Allow confined users r/w to screen unix stream socket
  - Label /root/.screenrc and /root/.tmux.conf with screen_home_t
  - Allow virtqemud read virtd_t files
  - Allow ping_t read network sysctls
* Mon Oct 21 2024 Zdenek Pytela <[email protected]> - 41.23-1
  - Allow systemd-homework connect to init over a unix socket
  - Fix systemd-homed blobs directory permissions
  - Allow virtqemud read sgx_vepc devices
  - Allow lldpad create and use netlink_generic_socket
* Wed Oct 16 2024 Zdenek Pytela <[email protected]> - 41.22-1
  - Allow systemd-homework write to init pid socket
  - Allow init create /var/cache/systemd/home
  - Confine the pcm service
  - Allow login_userdomain read thumb tmp files
  - Update power-profiles-daemon policy
  - Fix the /etc/mdevctl\.d(/.*)? regexp
  - Grant rhsmcertd chown capability & userdb access
  - Allow iio-sensor-proxy the bpf capability
  - Allow systemd-machined the kill user-namespace capability
* Fri Oct 11 2024 Zdenek Pytela <[email protected]> - 41.21-1
  - Remove the fail2ban module sources
  - Remove the linuxptp module sources
  - Remove legacy rules for slrnpull
  - Remove the aiccu module sources
  - Remove the bcfg2 module sources
  - Remove the amtu module sources
  - Remove the rhev module sources
  - Remove all file context entries for /bin and /lib
  - Allow ptp4l the sys_admin capability
  - Confine power-profiles-daemon
  - Label /var/cache/systemd/home with systemd_homed_cache_t
  - Allow login_userdomain connect to systemd-homed over a unix socket
  - Allow boothd connect to systemd-homed over a unix socket
  - Allow systemd-homed get attributes of a tmpfs filesystem
  - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
  - Allow aide connect to systemd-homed over a unix socket
  - Label /dev/hfi1_[0-9]+ devices
  - Suppress semodule's stderr
* Thu Oct 03 2024 Zdenek Pytela <[email protected]> - 41.20-1
  - Remove the openct module sources
  - Remove the timidity module sources
  - Enable the slrn module
  - Remove i18n_input module sources
  - Enable the distcc module
  - Remove the ddcprobe module sources
  - Remove the timedatex module sources
  - Remove the djbdns module sources
  - Confine iio-sensor-proxy
  - Allow staff user nlmsg_write
  - Update policy for xdm with confined users
  - Allow virtnodedev watch mdevctl config dirs
  - Allow ssh watch home config dirs
  - Allow ssh map home configs files
  - Allow ssh read network sysctls
  - Allow chronyc sendto to chronyd-restricted
  - Allow cups sys_ptrace capability in the user namespace
* Tue Sep 24 2024 Zdenek Pytela <[email protected]> - 41.19-1
  - Add policy for systemd-homed
  - Remove fc entry for /usr/bin/pump
  - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
  - Allow accountsd read gnome-initial-setup tmp files
  - Allow xdm write to gnome-initial-setup fifo files
  - Allow rngd read and write generic usb devices
  - Allow qatlib search the content of the kernel debugging filesystem
  - Allow qatlib connect to systemd-machined over a unix socket
* Wed Sep 18 2024 Petr Lautrbach <[email protected]> - 41.18-1
  - Drop ru man pages
  - mls/modules.conf - fix typo
  - Allow unprivileged user watch /run/systemd
  - Allow boothd connect to kernel over a unix socket
* Mon Sep 16 2024 Zdenek Pytela <[email protected]> - 41.17-2
  - Relabel /etc/mdevctl.d
* Thu Sep 12 2024 Petr Lautrbach <[email protected]> - 41.17-1
  - Clean up and sync securetty_types
  - Bring config files from dist-git into the source repo
  - Confine gnome-remote-desktop
  - Allow virtstoraged execute mount programs in the mount domain
  - Make mdevctl_conf_t member of the file_type attribute
* Fri Sep 06 2024 Zdenek Pytela <[email protected]> - 41.16-1
  - Label /etc/mdevctl.d with mdevctl_conf_t
  - Sync users with Fedora targeted users
  - Update policy for rpc-virtstorage
  - Allow virtstoraged get attributes of configfs dirs
  - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command
  - Update bootupd policy when ESP is not mounted
  - Allow thumb_t map dri devices
  - Allow samba use the io_uring API
  - Allow the sysadm user use the secretmem API
  - Allow nut-upsmon read systemd-logind session files
  - Allow sysadm_t to create PF_KEY sockets
  - Update bootupd policy for the removing-state-file test
  - Allow coreos-installer-generator manage mdadm_conf_t files
* Thu Aug 29 2024 Zdenek Pytela <[email protected]> - 41.15-1
  - Allow setsebool_t relabel selinux data files
  - Allow virtqemud relabelfrom virtqemud_var_run_t dirs
  - Use better escape method for "interface"
  - Allow init and systemd-logind to inherit fds from sshd
  - Allow systemd-ssh-generator read sysctl files
  - Sync modules.conf with Fedora targeted modules
  - Allow virtqemud relabel user tmp files and socket files
  - Add missing sys_chroot capability to groupadd policy
  - Label /run/libvirt/qemu/channel with virtqemud_var_run_t
  - Allow virtqemud relabelfrom also for file and sock_file
  - Add virt_create_log() and virt_write_log() interfaces
  - Call binaries without full path
* Mon Aug 12 2024 Zdenek Pytela <[email protected]> - 41.14-1
  - Update libvirt policy
  - Add port 80/udp and 443/udp to http_port_t definition
  - Additional updates stalld policy for bpf usage
  - Label systemd-pcrextend and systemd-pcrlock properly
  - Allow coreos_installer_t work with partitions
  - Revert "Allow coreos-installer-generator work with partitions"
  - Add policy for systemd-pcrextend
  - Update policy for systemd-getty-generator
  - Allow ip command write to ipsec's logs
  - Allow virt_driver_domain read virtd-lxc files in /proc
  - Revert "Allow svirt read virtqemud fifo files"
  - Update virtqemud policy for libguestfs usage
  - Allow virtproxyd create and use its private tmp files
  - Allow virtproxyd read network state
  - Allow virt_driver_domain create and use log files in /var/log
  - Allow samba-dcerpcd work with ctdb cluster
* Tue Aug 06 2024 Zdenek Pytela <[email protected]> - 41.13-1
  - Allow NetworkManager_dispatcher_t send SIGKILL to plugins
  - Allow setroubleshootd execute sendmail with a domain transition
  - Allow key.dns_resolve set attributes on the kernel key ring
  - Update qatlib policy for v24.02 with new features
  - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
  - Allow tlp status power services
  - Allow virtqemud domain transition on passt execution
  - Allow virt_driver_domain connect to systemd-userdbd over a unix socket
  - Allow boothd connect to systemd-userdbd over a unix socket
  - Update policy for awstats scripts
  - Allow bitlbee execute generic programs in system bin directories
  - Allow login_userdomain read aliases file
  - Allow login_userdomain read ipsec config files
  - Allow login_userdomain read all pid files
  - Allow rsyslog read systemd-logind session files
  - Allow libvirt-dbus stream connect to virtlxcd
* Wed Jul 31 2024 Zdenek Pytela <[email protected]> - 41.12-1
  - Update bootupd policy
  - Allow rhsmcertd read/write access to /dev/papr-sysparm
  - Label /dev/papr-sysparm and /dev/papr-vpd
  - Allow abrt-dump-journal-core connect to winbindd
  - Allow systemd-hostnamed shut down nscd
  - Allow systemd-pstore send a message to syslogd over a unix domain
  - Allow postfix_domain map postfix_etc_t files
  - Allow microcode create /sys/devices/system/cpu/microcode/reload
  - Allow rhsmcertd read, write, and map ica tmpfs files
  - Support SGX devices
  - Allow initrc_t transition to passwd_t
  - Update fstab and cryptsetup generators policy
  - Allow xdm_t read and write the dma device
  - Update stalld policy for bpf usage
  - Allow systemd_gpt_generator to getattr on DOS directories
* Thu Jul 25 2024 Zdenek Pytela <[email protected]> - 41.11-1
  - Make cgroup_memory_pressure_t a part of the file_type attribute
  - Allow ssh_t to change role to system_r
  - Update policy for coreos generators
  - Allow init_t nnp domain transition to firewalld_t
  - Label /run/modprobe.d with modules_conf_t
  - Allow virtnodedevd run udev with a domain transition
  - Allow virtnodedev_t create and use virtnodedev_lock_t
  - Allow virtstoraged manage files with virt_content_t type
  - Allow virtqemud unmount a filesystem with extended attributes
  - Allow svirt_t connect to unconfined_t over a unix domain socket
* Mon Jul 22 2024 Zdenek Pytela <[email protected]> - 41.10-1
  - Update afterburn file transition policy
  - Allow systemd_generator read attributes of all filesystems
  - Allow fstab-generator read and write cryptsetup-generator unit file
  - Allow cryptsetup-generator read and write fstab-generator unit file
  - Allow systemd_generator map files in /etc
  - Allow systemd_generator read init's process state
  - Allow coreos-installer-generator read sssd public files
  - Allow coreos-installer-generator work with partitions
  - Label /etc/mdadm.conf.d with mdadm_conf_t
  - Confine coreos generators
  - Label /run/metadata with afterburn_runtime_t
  - Allow afterburn list ssh home directory
  - Label samba certificates with samba_cert_t
  - Label /run/coreos-installer-reboot with coreos_installer_var_run_t
  - Allow virtqemud read virt-dbus process state
  - Allow staff user dbus chat with virt-dbus
  - Allow staff use watch /run/systemd
  - Allow systemd_generator to write kmsg
* Sat Jul 20 2024 Fedora Release Engineering <[email protected]> - 41.9-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Tue Jul 16 2024 Zdenek Pytela <[email protected]> - 41.9-1
  - Allow virtqemud connect to sanlock over a unix stream socket
  - Allow virtqemud relabel virt_var_run_t directories
  - Allow svirt_tcg_t read vm sysctls
  - Allow virtnodedevd connect to systemd-userdbd over a unix socket
  - Allow svirt read virtqemud fifo files
  - Allow svirt attach_queue to a virtqemud tun_socket
  - Allow virtqemud run ssh client with a transition
  - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
  - Update keyutils policy
  - Allow sshd_keygen_t connect to userdbd over a unix stream socket
  - Allow postfix-smtpd read mysql config files
  - Allow locate stream connect to systemd-userdbd
  - Allow the staff user use wireshark
  - Allow updatedb connect to userdbd over a unix stream socket
  - Allow gpg_t set attributes of public-keys.d
  - Allow gpg_t get attributes of login_userdomain stream
  - Allow systemd_getty_generator_t read /proc/1/environ
  - Allow systemd_getty_generator_t to read and write to tty_device_t
* Thu Jul 11 2024 Petr Lautrbach <[email protected]> 41.8-4
  - Move %postInstall to %posttrans
  - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)`
  - Drop obsolete modules from config
  - Install dnf protected files only when policy is built
* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <[email protected]> - 41.8-3
  - Relabel files under /usr/bin to fix stale context after sbin merge
* Wed Jul 10 2024 Petr Lautrbach <[email protected]> 41.8-2
  - Merge -base and -contrib
* Wed Jul 10 2024 Zdenek Pytela <[email protected]> - 41.8-1
  - Drop publicfile module
  - Remove permissive domain for systemd_nsresourced_t
  - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
  - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  - Allow to create and delete socket files created by rhsm.service
  - Allow virtnetworkd exec shell when virt_hooks_unconfined is on
  - Allow unconfined_service_t transition to passwd_t
  - Support /var is empty
  - Allow abrt-dump-journal read all non_security socket files
  - Allow timemaster write to sysfs files
  - Dontaudit domain write cgroup files
  - Label /usr/lib/node_modules/npm/bin with bin_t
  - Allow ip the setexec permission
  - Allow systemd-networkd write files in /var/lib/systemd/network
  - Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Jun 28 2024 Zdenek Pytela <[email protected]> - 41.7-1
  - Confine libvirt-dbus
  - Allow virtqemud the kill capability in user namespace
  - Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  - Allow dhcpcd the kill capability
  - Allow systemd-networkd list /var/lib/systemd/network
  - Allow sysadm_t run systemd-nsresourced bpf programs
  - Update policy for systemd generators interactions
  - Allow create memory.pressure files with cgroup_memory_pressure_t
  - Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela <[email protected]> - 41.6-1
  - Allow certmonger read and write tpm devices
  - Allow all domains to connect to systemd-nsresourced over a unix socket
  - Allow systemd-machined read the vsock device
  - Update policy for systemd generators
  - Allow ptp4l_t request that the kernel load a kernel module
  - Allow sbd to trace processes in user namespace
  - Allow request-key execute scripts
  - Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela <[email protected]> - 41.5-1
  - Update policy for systemd-nsresourced
  - Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela <[email protected]> - 41.4-1
  - Allow login_userdomain execute systemd-tmpfiles in the caller domain
  - Allow virt_driver_domain read files labeled unconfined_t
  - Allow virt_driver_domain dbus chat with policykit
  - Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  - Add rules for interactions between generators
  - Label memory.pressure files with cgroup_memory_pressure_t
  - Revert "Allow some systemd services write to cgroup files"
  - Update policy for systemd-nsresourced
  - Label /usr/bin/ntfsck with fsadm_exec_t
  - Allow systemd_fstab_generator_t read tmpfs files
  - Update policy for systemd-nsresourced
  - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  - Remove a few lines duplicated between {dkim,milter}.fc
  - Alias /bin → /usr/bin and remove redundant paths
  - Drop duplicate line for /usr/sbin/unix_chkpwd
  - Drop duplicate paths for /usr/sbin
* Tue Jun 11 2024 Zdenek Pytela <[email protected]> - 41.3-1
  - Update systemd-generator policy
  - Remove permissive domain for bootupd_t
  - Remove permissive domain for coreos_installer_t
  - Remove permissive domain for afterburn_t
  - Add the sap module to modules.conf
  - Move unconfined_domain(sap_unconfined_t) to an optional block
  - Create the sap module
  - Allow systemd-coredumpd sys_admin and sys_resource capabilities
  - Allow systemd-coredump read nsfs files
  - Allow generators auto file transition only for plain files
  - Allow systemd-hwdb write to the kernel messages device
  - Escape "interface" as a file name in a virt filetrans pattern
  - Allow gnome-software work for login_userdomain
  - Allow systemd-machined manage runtime sockets
  - Revert "Allow systemd-machined manage runtime sockets"
* Fri Jun 07 2024 Zdenek Pytela <[email protected]> - 41.2-1
  - Allow postfix_domain connect to postgresql over a unix socket
  - Dontaudit systemd-coredump sys_admin capability
  - Allow all domains read and write z90crypt device
  - Allow tpm2 generator setfscreate
  - Allow systemd (PID 1) manage systemd conf files
  - Allow pulseaudio map its runtime files
  - Update policy for getty-generator
  - Allow systemd-hwdb send messages to kernel unix datagram sockets
  - Allow systemd-machined manage runtime sockets
* Mon Jun 03 2024 Zdenek Pytela <[email protected]> - 41.1-1
  - Allow fstab-generator create unit file symlinks
  - Update policy for cryptsetup-generator
  - Update policy for fstab-generator
  - Allow virtqemud read vm sysctls
  - Allow collectd to trace processes in user namespace
  - Allow bootupd search efivarfs dirs
  - Add policy for systemd-mountfsd
  - Add policy for systemd-nsresourced
  - Update policy generators
  - Add policy for anaconda-generator
  - Update policy for fstab and gpt generators
  - Add policy for kdump-dep-generator
* Thu May 30 2024 Zdenek Pytela <[email protected]> - 40.21-1
  - Add policy for a generic generator
  - Add policy for tpm2 generator
  - Add policy for ssh-generator
  - Add policy for second batch of generators
  - Update policy for systemd generators
  - ci: Adjust Cockpit test plans
* Sun May 19 2024 Zdenek Pytela <[email protected]> - 40.20-1
  - Allow journald read systemd config files and directories
  - Allow systemd_domain read systemd_conf_t dirs
  - Fix bad Python regexp escapes
  - Allow fido services connect to postgres database
* Fri May 17 2024 Zdenek Pytela <[email protected]> - 40.19-1
  - Allow postfix smtpd map aliases file
  - Ensure dbus communication is allowed bidirectionally
  - Label systemd configuration files with systemd_conf_t
  - Label /run/systemd/machine with systemd_machined_var_run_t
  - Allow systemd-hostnamed read the vsock device
  - Allow sysadm execute dmidecode using sudo
  - Allow sudodomain list files in /var
  - Allow setroubleshootd get attributes of all sysctls
  - Allow various services read and write z90crypt device
  - Allow nfsidmap connect to systemd-homed
  - Allow sandbox_x_client_t dbus chat with accountsd
  - Allow system_cronjob_t dbus chat with avahi_t
  - Allow staff_t the io_uring sqpoll permission
  - Allow staff_t use the io_uring API
  - Add support for secretmem anon inode
* Thu May 16 2024 Adam Williamson <[email protected]> - 40.18-3
  - Correct some errors in the RPM macro changes from -2
* Mon May 06 2024 Zdenek Pytela <[email protected]> - 40.18-2
  - Update rpm configuration for the /var/run equivalency change
* Mon May 06 2024 Zdenek Pytela <[email protected]> - 40.18-1
  - Allow virtqemud read vfio devices
  - Allow virtqemud get attributes of a tmpfs filesystem
  - Allow svirt_t read vm sysctls
  - Allow virtqemud create and unlink files in /etc/libvirt/
  - Allow virtqemud get attributes of cifs files
  - Allow virtqemud get attributes of filesystems with extended attributes
  - Allow virtqemud get attributes of NFS filesystems
  - Allow virt_domain read and write usb devices conditionally
  - Allow virtstoraged use the io_uring API
  - Allow virtstoraged execute lvm programs in the lvm domain
  - Allow virtnodevd_t map /var/lib files
  - Allow svirt_tcg_t map svirt_image_t files
  - Allow abrt-dump-journal-core connect to systemd-homed
  - Allow abrt-dump-journal-core connect to systemd-machined
  - Allow sssd create and use io_uring
  - Allow selinux-relabel-generator create units dir
  - Allow dbus-broker read/write inherited user ttys
* Thu Apr 25 2024 Zdenek Pytela <[email protected]> - 40.17-1
  - Define transitions for /run/libvirt/common and /run/libvirt/qemu
  - Allow systemd-sleep read raw disk data
  - Allow numad to trace processes in user namespace
  - Allow abrt-dump-journal-core connect to systemd-userdbd
  - Allow plymouthd read efivarfs files
  - Update the auth_dontaudit_read_passwd_file() interface
  - Label /dev/mmcblk0rpmb character device with removable_device_t
  - fix hibernate on btrfs swapfile (F40)
  - Allow nut to statfs()
  - Allow system dbusd service status systemd services
  - Allow systemd-timedated get the timemaster service status
* Tue Apr 09 2024 Zdenek Pytela <[email protected]> - 40.16-1
  - Allow keyutils-dns-resolver connect to the system log service
  - Allow qemu-ga read vm sysctls
  - postfix: allow qmgr to delete mails in bounce/ directory
  - policy: support pidfs
  - Confine selinux-autorelabel-generator.sh
  - Allow logwatch_mail_t read/write to init over a unix stream socket
  - Allow logwatch read logind sessions files
  - files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  - files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  - Allow NetworkManager the sys_ptrace capability in user namespace
  - dontaudit execmem for modemmanager
  - Allow dhcpcd use unix_stream_socket
  - Allow dhcpc read /run/netns files
* Fri Mar 15 2024 Zdenek Pytela <[email protected]> - 40.15-1
  - Update mmap_rw_file_perms to include the lock permission
  - Allow plymouthd log during shutdown
  - Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  - Allow journalctl_t read filesystem sysctls
  - Allow cgred_t to get attributes of cgroup filesystems
  - Allow wdmd read hardware state information
  - Allow wdmd list the contents of the sysfs directories
  - Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  - Allow sulogin relabel tty1
  - Dontaudit sulogin the checkpoint_restore capability
  - Modify sudo_role_template() to allow getpgid
  - Remove incorrect "local" usage in varrun-convert.sh
* Thu Mar 07 2024 Zdenek Pytela <[email protected]> - 40.14-2
  - Update varrun-convert.sh script to check for existing duplicate entries
* Mon Feb 26 2024 Zdenek Pytela <[email protected]> - 40.14-1
  - Allow userdomain get attributes of files on an nsfs filesystem
  - Allow opafm create NFS files and directories
  - Allow virtqemud create and unlink files in /etc/libvirt/
  - Allow virtqemud domain transition on swtpm execution
  - Add the swtpm.if interface file for interactions with other domains
  - Allow samba to have dac_override capability
  - systemd: allow sys_admin capability for systemd_notify_t
  - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  - Allow thumb_t to watch and watch_reads mount_var_run_t
  - Allow krb5kdc_t map krb5kdc_principal_t files
  - Allow unprivileged confined user dbus chat with setroubleshoot
  - Allow login_userdomain map files in /var
  - Allow wireguard work with firewall-cmd
  - Differentiate between staff and sysadm when executing crontab with sudo
  - Add crontab_admin_domtrans interface
  - Allow abrt_t nnp domain transition to abrt_handle_event_t
  - Allow xdm_t to watch and watch_reads mount_var_run_t
  - Dontaudit subscription manager setfscreate and read file contexts
  - Don't audit crontab_domain write attempts to user home
  - Transition from sudodomains to crontab_t when executing crontab_exec_t
  - Add crontab_domtrans interface
  - Fix label of pseudoterminals created from sudodomain
  - Allow utempter_t use ptmx
  - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  - Allow admin user read/write on fixed_disk_device_t
* Mon Feb 12 2024 Zdenek Pytela <[email protected]> - 40.13-1
  - Only allow confined user domains to login locally without unconfined_login
  - Add userdom_spec_domtrans_confined_admin_users interface
  - Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  - Add userdom_spec_domtrans_admin_users interface
  - Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  - Update ssh_role_template() for user ssh-agent type
  - Allow init to inherit system DBus file descriptors
  - Allow init to inherit fds from syslogd
  - Allow any domain to inherit fds from rpm-ostree
  - Update afterburn policy
  - Allow init_t nnp domain transition to abrtd_t
* Tue Feb 06 2024 Zdenek Pytela <[email protected]> - 40.12-1
  - Rename all /var/lock file context entries to /run/lock
  - Rename all /var/run file context entries to /run
  - Invert the "/var/run = /run" equivalency
* Mon Feb 05 2024 Zdenek Pytela <[email protected]> - 40.11-1
  - Replace init domtrans rule for confined users to allow exec init
  - Update dbus_role_template() to allow user service status
  - Allow polkit status all systemd services
  - Allow setroubleshootd create and use inherited io_uring
  - Allow load_policy read and write generic ptys
  - Allow gpg manage rpm cache
  - Allow login_userdomain name_bind to howl and xmsg udp ports
  - Allow rules for confined users logged in plasma
  - Label /dev/iommu with iommu_device_t
  - Remove duplicate file context entries in /run
  - Dontaudit getty and plymouth the checkpoint_restore capability
  - Allow su domains write login records
  - Revert "Allow su domains write login records"
  - Allow login_userdomain delete session dbusd tmp socket files
  - Allow unix dgram sendto between exim processes
  - Allow su domains write login records
  - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
* Wed Jan 24 2024 Zdenek Pytela <[email protected]> - 40.10-1
  - Allow chronyd-restricted read chronyd key files
  - Allow conntrackd_t to use bpf capability2
  - Allow systemd-networkd manage its runtime socket files
  - Allow init_t nnp domain transition to colord_t
  - Allow polkit status systemd services
  - nova: Fix duplicate declarations
  - Allow httpd work with PrivateTmp
  - Add interfaces for watching and reading ifconfig_var_run_t
  - Allow collectd read raw fixed disk device
  - Allow collectd read udev pid files
  - Set correct label on /etc/pki/pki-tomcat/kra
  - Allow systemd domains watch system dbus pid socket files
  - Allow certmonger read network sysctls
  - Allow mdadm list stratisd data directories
  - Allow syslog to run unconfined scripts conditionally
  - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  - Allow qatlib set attributes of vfio device files
* Tue Jan 09 2024 Zdenek Pytela <[email protected]> - 40.9-1
  - Allow systemd-sleep set attributes of efivarfs files
  - Allow samba-dcerpcd read public files
  - Allow spamd_update_t the sys_ptrace capability in user namespace
  - Allow bluetooth devices work with alsa
  - Allow alsa get attributes filesystems with extended attributes
* Tue Jan 02 2024 Yaakov Selkowitz <[email protected]> - 40.8-2
  - Limit %selinux_requires to version, not release
* Thu Dec 21 2023 Zdenek Pytela <[email protected]> - 40.8-1
  - Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  - Add interface for write-only access to NetworkManager rw conf
  - Allow systemd-sleep send a message to syslog over a unix dgram socket
  - Allow init create and use netlink netfilter socket
  - Allow qatlib load kernel modules
  - Allow qatlib run lspci
  - Allow qatlib manage its private runtime socket files
  - Allow qatlib read/write vfio devices
  - Label /etc/redis.conf with redis_conf_t
  - Remove the lockdown-class rules from the policy
  - Allow init read all non-security socket files
  - Replace redundant dnsmasq pattern macros
  - Remove unneeded symlink perms in dnsmasq.if
  - Add additions to dnsmasq interface
  - Allow nvme_stas_t create and use netlink kobject uevent socket
  - Allow collectd connect to statsd port
  - Allow keepalived_t to use sys_ptrace of cap_userns
  - Allow dovecot_auth_t connect to postgresql using UNIX socket
* Wed Dec 13 2023 Zdenek Pytela <[email protected]> - 40.7-1
  - Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  - Allow sysadm execute traceroute in sysadm_t domain using sudo
  - Allow sysadm execute tcpdump in sysadm_t domain using sudo
  - Allow opafm search nfs directories
  - Add support for syslogd unconfined scripts
  - Allow gpsd use /dev/gnss devices
  - Allow gpg read rpm cache
  - Allow virtqemud additional permissions
  - Allow virtqemud manage its private lock files
  - Allow virtqemud use the io_uring api
  - Allow ddclient send e-mail notifications
  - Allow postfix_master_t map postfix data files
  - Allow init create and use vsock sockets
  - Allow thumb_t append to init unix domain stream sockets
  - Label /dev/vas with vas_device_t
  - Change domain_kernel_load_modules boolean to true
  - Create interface selinux_watch_config and add it to SELinux users
* Tue Nov 28 2023 Zdenek Pytela <[email protected]> - 40.6-1
  - Add afterburn to modules-targeted-contrib.conf
  - Update cifs interfaces to include fs_search_auto_mountpoints()
  - Allow sudodomain read var auth files
  - Allow spamd_update_t read hardware state information
  - Allow virtnetworkd domain transition on tc command execution
  - Allow sendmail MTA connect to sendmail LDA
  - Allow auditd read all domains process state
  - Allow rsync read network sysctls
  - Add dhcpcd bpf capability to run bpf programs
  - Dontaudit systemd-hwdb dac_override capability
  - Allow systemd-sleep create efivarfs files
* Tue Nov 14 2023 Zdenek Pytela <[email protected]> - 40.5-1
  - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  - Allow graphical applications work in Wayland
  - Allow kdump work with PrivateTmp
  - Allow dovecot-auth work with PrivateTmp
  - Allow nfsd get attributes of all filesystems
  - Allow unconfined_domain_type use io_uring cmd on domain
  - ci: Only run Rawhide revdeps tests on the rawhide branch
  - Label /var/run/auditd.state as auditd_var_run_t
  - Allow fido-device-onboard (FDO) read the crack database
  - Allow ip an explicit domain transition to other domains
  - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  - Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  - Allow ntp to bind and connect to ntske port.
  - Allow system_mail_t manage exim spool files and dirs
  - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  - Label /run/pcsd.socket with cluster_var_run_t
  - ci: Run cockpit tests in PRs
* Thu Oct 19 2023 Zdenek Pytela <[email protected]> - 40.4-1
  - Add map_read map_write to kernel_prog_run_bpf
  - Allow systemd-fstab-generator read all symlinks
  - Allow systemd-fstab-generator the dac_override capability
  - Allow rpcbind read network sysctls
  - Support using systemd containers
  - Allow sysadm_t to connect to iscsid using a unix domain stream socket
  - Add policy for coreos installer
  - Add coreos_installer to modules-targeted-contrib.conf
* Tue Oct 17 2023 Zdenek Pytela <[email protected]> - 40.3-1
  - Add policy for nvme-stas
  - Confine systemd fstab,sysv,rc-local
  - Label /etc/aliases.lmdb with etc_aliases_t
  - Create policy for afterburn
  - Add nvme_stas to modules-targeted-contrib.conf
  - Add plans/tests.fmf
* Tue Oct 10 2023 Zdenek Pytela <[email protected]> - 40.2-1
  - Add the virt_supplementary module to modules-targeted-contrib.conf
  - Make new virt drivers permissive
  - Split virt policy, introduce virt_supplementary module
  - Allow apcupsd cgi scripts read /sys
  - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
  - Allow kernel_t to manage and relabel all files
  - Add missing optional_policy() to files_relabel_all_files()
* Tue Oct 03 2023 Zdenek Pytela <[email protected]> - 40.1-1
  - Allow named and ndc use the io_uring api
  - Deprecate common_anon_inode_perms usage
  - Improve default file context(None) of /var/lib/authselect/backups
  - Allow udev_t to search all directories with a filesystem type
  - Implement proper anon_inode support
  - Allow targetd write to the syslog pid sock_file
  - Add ipa_pki_retrieve_key_exec() interface
  - Allow kdumpctl_t to list all directories with a filesystem type
  - Allow udev additional permissions
  - Allow udev load kernel module
  - Allow sysadm_t to mmap modules_object_t files
  - Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  - Set default file context of HOME_DIR/tmp/.* to <<none>>
  - Allow kernel_generic_helper_t to execute mount(1)

Files

/usr/share/selinux/packages/sandbox.pp


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Dec 10 05:05:30 2024