selinux-policy-38.1.44-1.el9 | Build Info

Information for build selinux-policy-38.1.44-1.el9

19925

Package Name

selinux-policy

Version

38.1.44

Release

1.el9

Epoch

Source

git+http://git.inferitos.ru/rpms/selinux-policy#3f95bf6573b255a13016d973a1fe568130339693

Summary

SELinux policy configuration

Description

SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.

Built by

tigro

State

complete

Volume

DEFAULT

Started

Tue, 08 Oct 2024 15:45:02 MSK

Completed

Tue, 08 Oct 2024 15:58:59 MSK

Task

build (inferit-9_5-bootstrap, /rpms/selinux-policy/:changed/i9c-beta/selinux-policy-38.1.44-1.el9)

Extra

{'source': {'original_url': 'git+http://git.inferitos.ru/rpms/selinux-policy/?#changed/i9c-beta/selinux-policy-38.1.44-1.el9'}}

Tags

inferit-9_5-bootstrap

RPMs

src
	selinux-policy-38.1.44-1.el9.src.rpm (info) (download)
noarch
	selinux-policy-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-devel-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-doc-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-minimum-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-mls-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-sandbox-38.1.44-1.el9.noarch.rpm (info) (download)
	selinux-policy-targeted-38.1.44-1.el9.noarch.rpm (info) (download)

Logs

noarch
	noarch_rpmdiff.json
	root.log
	state.log
	mock_output.log
	installed_pkgs.log
	hw_info.log
	build.log

Changelog

* Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1 - Allow coreos-installer-generator work with partitions Resolves: RHEL-38614 - Label /etc/mdadm.conf.d with mdadm_conf_t Resolves: RHEL-38614 - Change file context specification to /var/run/metadata Resolves: RHEL-49735 - Allow initrc_t transition to passwd_t Resolves: RHEL-17404 - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets Resolves: RHEL-25514 - systemd: allow sys_admin capability for systemd_notify_t Resolves: RHEL-25514 - Change systemd-network-generator transition to include class file Resolves: RHEL-47033 - Allow sshd_keygen_t connect to userdbd over a unix stream socket Resolves: RHEL-47033 * Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.43-1 - Allow rhsmcertd read/write access to /dev/papr-sysparm Resolves: RHEL-49599 - Label /dev/papr-sysparm and /dev/papr-vpd Resolves: RHEL-49599 - Allow rhsmcertd read, write, and map ica tmpfs files Resolves: RHEL-50926 - Update afterburn file transition policy Resolves: RHEL-49735 - Label /run/metadata with afterburn_runtime_t Resolves: RHEL-49735 - Allow afterburn list ssh home directory Resolves: RHEL-49735 - Support SGX devices Resolves: RHEL-50922 - Allow systemd-pstore send a message to syslogd over a unix domain Resolves: RHEL-45528 - Allow postfix_domain map postfix_etc_t files Resolves: RHEL-46332 - Allow microcode create /sys/devices/system/cpu/microcode/reload Resolves: RHEL-26821 - Allow svirt_tcg_t map svirt_image_t files Resolves: RHEL-27141 - Allow systemd-hostnamed shut down nscd Resolves: RHEL-45033 - Allow postfix_domain connect to postgresql over a unix socket Resolves: RHEL-6776 * Thu Jul 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.42-1 - Label samba certificates with samba_cert_t Resolves: RHEL-25724 - Allow systemd-coredumpd the sys_chroot capability Resolves: RHEL-45245 - Allow svirt_tcg_t read vm sysctls Resolves: RHEL-27141 - Label /usr/sbin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-25724 - Label /var/run/coreos-installer-reboot with coreos_installer_var_run_t Resolves: RHEL-38614 - Allow coreos-installer add systemd unit file links Resolves: RHEL-38614 * Sun Jul 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.41-1 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-31888 - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-25724 - Allow unconfined_service_t transition to passwd_t Resolves: RHEL-17404 - Allow sbd to trace processes in user namespace Resolves: RHEL-44680 - Allow systemd-coredumpd sys_admin and sys_resource capabilities Resolves: RHEL-45245 - Label /usr/lib/node_modules/npm/bin with bin_t Resolves: RHEL-36587 - Support /var is empty Resolves: RHEL-29331 - Allow timemaster write to sysfs files Resolves: RHEL-28777 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-31888 - Transition from sudodomains to crontab_t when executing crontab_exec_t Resolves: RHEL-31888 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-31888 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.40-1 - Allow systemd-coredump read nsfs files Resolves: RHEL-39937 - Allow login_userdomain execute systemd-tmpfiles in the caller domain Resolves: RHEL-40374 - Allow ptp4l_t request that the kernel load a kernel module Resolves: RHEL-38905 - Allow collectd to trace processes in user namespace Resolves: RHEL-36293 * Thu Jun 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.39-1 - Add interfaces for watching and reading ifconfig_var_run_t Resolves: RHEL-39408 - Allow dhcpcd use unix_stream_socket Resolves: RHEL-39408 - Allow dhcpc read /run/netns files Resolves: RHEL-39408 - Allow all domains read and write z90crypt device Resolves: RHEL-38833 - Allow bootupd search efivarfs dirs Resolves: RHEL-36289 - Move unconfined_domain(sap_unconfined_t) to an optional block Resolves: RHEL-37663 * Thu May 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.38-1 - Add boolean qemu-ga to run unconfined script Resolves: RHEL-31211 - Ensure dbus communication is allowed bidirectionally Resolves: RHEL-35782 - Allow logwatch_mail_t read network sysctls Resolves: RHEL-34135 - Allow sysadm execute dmidecode using sudo Resolves: RHEL-16104 - Allow sudodomain list files in /var Resolves: RHEL-16104 - Allow various services read and write z90crypt device Resolves: RHEL-33361 - Allow system_cronjob_t dbus chat with avahi_t Resolves: RHEL-32290 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-34078 - Remove permissive domain for bootupd_t Resolves: RHEL-22173 * Tue May 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.37-1 - Allow numad to trace processes in user namespace Resolves: RHEL-33994 - Remove permissive domain for rshim_t Resolves: RHEL-22173 - Remove permissive domain for mptcpd_t Resolves: RHEL-22173 - Remove permissive domain for coreos_installer_t Resolves: RHEL-22173 - Remove permissive domain for afterburn_t Resolves: RHEL-22173 - Update afterburn policy Resolves: RHEL-22173 - Allow bootupd search EFI directory Resolves: RHEL-22172 - Add the bootupd module Resolves: RHEL-22172 - Add policy for bootupd Resolves: RHEL-22172 - Label /dev/mmcblk0rpmb character device with removable_device_t Resolves: RHEL-28080 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-31888 - Add crontab_admin_domtrans interface Resolves: RHEL-31888 - Add crontab_domtrans interface Resolves: RHEL-31888 - Allow svirt_t read vm sysctls Resolves: RHEL-32296 * Mon Apr 15 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.36-1 - Allow systemd-timedated get the timemaster service status Resolves: RHEL-25978 - postfix: allow qmgr to delete mails in bounce/ directory Resolves: RHEL-30271 - Allow NetworkManager the sys_ptrace capability in user namespace Resolves: RHEL-24346 - Label /dev/iommu with iommu_device_t Resolves: RHEL-22063 - Allow qemu-ga read vm sysctls Resolves: RHEL-31892 - Update repository link and branches names for c9s Related: RHEL-22960 * Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2 - Rebuild Resolves: RHEL-26663 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1 - Allow wdmd read hardware state information Resolves: RHEL-26663 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1 - Allow wdmd list the contents of the sysfs directories Resolves: RHEL-26663 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-26660 * Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1 - Allow thumb_t to watch and watch_reads mount_var_run_t Resolves: RHEL-26073 - Allow opafm create NFS files and directories Resolves: RHEL-17820 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11250 * Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21635 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-24841 - Allow unix dgram sendto between exim processes Resolves: RHEL-21902 - Allow utempter_t use ptmx Resolves: RHEL-24946 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1551 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1551 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1551 * Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1 - Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792 * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1 - Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-14077 - Allow qatlib set attributes of vfio device files Resolves: RHEL-19051 - Allow qatlib load kernel modules Resolves: RHEL-19051 - Allow qatlib run lspci Resolves: RHEL-19051 - Allow qatlib manage its private runtime socket files Resolves: RHEL-19051 - Allow qatlib read/write vfio devices Resolves: RHEL-19051 - Allow syslog to run unconfined scripts conditionally Resolves: RHEL-11174 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-11174 - Allow sendmail MTA connect to sendmail LDA Resolves: RHEL-15175 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15432 - Allow opafm search nfs directories Resolves: RHEL-17820 - Allow mdadm list stratisd data directories Resolves: RHEL-19276 - Update cyrus_stream_connect() to use sockets in /run Resolves: RHEL-19282 - Allow collectd connect to statsd port Resolves: RHEL-21044 - Allow insights-client transition to sap unconfined domain Resolves: RHEL-21452 - Create the sap module Resolves: RHEL-21452 * Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1 - Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make `bootc` be `install_exec_t` Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174 * Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1 - Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175 * Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1 - Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413 * Tue Oct 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.26-1 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413 * Fri Oct 20 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.25-1 - Add map_read map_write to kernel_prog_run_bpf Resolves: RHEL-2653 - Allow sysadm_t read nsfs files Resolves: RHEL-5146 - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t Resolves: RHEL-14029 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14110 - Label /run/pcsd.socket with cluster_var_run_t Resolves: RHEL-1664 * Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1 - Allow cupsd_t to use bpf capability Resolves: RHEL-3633 - Label /dev/gnss[0-9] with gnss_device_t Resolves: RHEL-9936 - Dontaudit rhsmcertd write memory device Resolves: RHEL-1547 * Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1 - Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443 * Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1 - Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759 * Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1 - Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526 * Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153 * Thu Aug 03 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.19-1 - Allow qatlib to read sssd public files Resolves: rhbz#2080443 - Fix location for /run/nsd Resolves: rhbz#2181600 - Allow samba-rpcd work with passwords Resolves: rhbz#2107092 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107092 - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty Resolves: rhbz#2223305 - Allow keepalived to manage its tmp files Resolves: rhbz#2179212 - Allow nscd watch system db dirs Resolves: rhbz#2152124 * Fri Jul 21 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.18-1 - Boolean: Allow virt_qemu_ga create ssh directory Resolves: rhbz#2181402 - Allow virt_qemu_ga_t create .ssh dir with correct label Resolves: rhbz#2181402 - Set default ports for keylime policy Resolves: RHEL-594 - Allow unconfined service inherit signal state from init Resolves: rhbz#2186233 - Allow sa-update connect to systemlog services Resolves: rhbz#2220643 - Allow sa-update manage spamc home files Resolves: rhbz#2220643 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213605 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076933 - Update policy for the sblim-sfcb service Resolves: rhbz#2076933 - Define equivalency for /run/systemd/generator.early Resolves: rhbz#2213516 * Thu Jun 29 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.17-1 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833 * Thu Jun 29 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.16-1 - Remove permissive from fdo Resolves: rhbz#2026795 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833 - Add policy for FIDO Device Onboard Resolves: rhbz#2026795 - Create policy for qatlib Resolves: rhbz#2080443 - Add policy for boothd Resolves: rhbz#2128833 - Add list_dir_perms to kerberos_read_keytab Resolves: rhbz#2112729 - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t Resolves: rhbz#2209973 - Allow collectd_t read network state symlinks Resolves: rhbz#2209650 - Revert "Allow collectd_t read proc_net link files" Resolves: rhbz#2209650 - Allow insights-client execmem Resolves: rhbz#2207894 - Label udf tools with fsadm_exec_t Resolves: rhbz#2039774 * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.15-1 - Add fs_delete_pstore_files() interface Resolves: rhbz#2181565 - Add fs_read_pstore_files() interface Resolves: rhbz#2181565 - Allow insights-client getsession process permission Resolves: rhbz#2214581 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2214581 - Allow insights-client map generic log files Resolves: rhbz#2214581 - Allow insights-client read unconfined service semaphores Resolves: rhbz#2214581 - Allow insights-client get quotas of all filesystems Resolves: rhbz#2214581 - Allow haproxy read hardware state information Resolves: rhbz#2164691 - Allow cupsd dbus chat with xdm Resolves: rhbz#2143641 - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file Resolves: rhbz#2165863 - Add none file context for polyinstantiated tmp dirs Resolves: rhbz#2099194 - Add support for the systemd-pstore service Resolves: rhbz#2181565 - Label /dev/userfaultfd with userfaultfd_t Resolves: rhbz#2175290 - Allow collectd_t read proc_net link files Resolves: rhbz#2209650 - Label smtpd with sendmail_exec_t Resolves: rhbz#2213573 - Label msmtp and msmtpd with sendmail_exec_t Resolves: rhbz#2213573 - Allow dovecot-deliver write to the main process runtime fifo files Resolves: rhbz#2211787 - Allow subscription-manager execute ip Resolves: rhbz#2211566 - Allow ftpd read network sysctls Resolves: rhbz#2175856 * Fri May 26 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.14-1 - Allow firewalld rw ica_tmpfs_t files Resolves: rhbz#2207487 - Add chromium_sandbox_t setcap capability Resolves: rhbz#2187893 - Allow certmonger manage cluster library files Resolves: rhbz#2179022 - Allow wireguard to rw network sysctls Resolves: rhbz#2192154 - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t Resolves: rhbz#2188173 - Allow plymouthd_t bpf capability to run bpf programs Resolves: rhbz#2184803 - Update pkcsslotd policy for sandboxing Resolves: rhbz#2209235 - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t Resolves: rhbz#2203201 * Thu May 18 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.13-1 - Allow insights-client work with teamdctl Resolves: rhbz#2190178 - Allow virsh name_connect virt_port_t Resolves: rhzb#2187290 - Allow cupsd to create samba_var_t files Resolves: rhbz#2174445 - Allow dovecot to map files in /var/spool/dovecot Resolves: rhbz#2165863 - Add tunable to allow squid bind snmp port Resolves: rhbz#2151378 - Allow rhsmcert request the kernel to load a module Resolves: rhbz#2203359 - Allow snmpd read raw disk data Resolves: rhbz#2196528 * Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 38.1.12-1 - Rebuilt for MSVSphere 9.2 beta * Fri Apr 14 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.12-1 - Allow cloud-init domain transition to insights-client domain Resolves: rhbz#2162663 - Allow chronyd send a message to cloud-init over a datagram socket Resolves: rhbz#2162663 - Allow dmidecode write to cloud-init tmp files Resolves: rhbz#2162663 - Allow login_pgm setcap permission Resolves: rhbz#2174331 - Allow tshark the setsched capability Resolves: rhbz#2165634 - Allow chronyc read network sysctls Resolves: rhbz#2173604 - Allow systemd-timedated watch init runtime dir Resolves: rhbz#2175137 - Add journalctl the sys_resource capability Resolves: rhbz#2153782 - Allow system_cronjob_t transition to rpm_script_t Resolves: rhbz#2173685 - Revert "Allow system_cronjob_t domtrans to rpm_script_t" Resolves: rhbz#2173685 - Allow insights-client tcp connect to all ports Resolves: rhbz#2183083 - Allow insights-client work with su and lpstat Resolves: rhbz#2183083 - Allow insights-client manage fsadm pid files Resolves: rhbz#2183083 - Allow insights-client read all sysctls Resolves: rhbz#2183083 - Allow rabbitmq to read network sysctls Resolves: rhbz#2184999 * Tue Mar 28 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.11-2 - rebuilt Resolves: rhbz#2172268 * Mon Mar 27 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.11-1 - Allow passt manage qemu pid sock files Resolves: rhbz#2172268 - Exclude passt.if from selinux-policy-devel Resolves: rhbz#2172268 * Fri Mar 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.10-1 - Add support for the passt_t domain Resolves: rhbz#2172268 - Allow virtd_t and svirt_t work with passt Resolves: rhbz#2172268 - Add new interfaces in the virt module Resolves: rhbz#2172268 - Add passt interfaces defined conditionally Resolves: rhbz#2172268 * Thu Mar 16 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.9-1 - Boolean: allow qemu-ga manage ssh home directory Resolves: rhbz#2178612 - Allow wg load kernel modules, search debugfs dir Resolves: rhbz#2176487 * Thu Feb 16 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.8-1 - Allow svirt to map svirt_image_t char files Resolves: rhbz#2170482 - Fix opencryptoki file names in /dev/shm Resolves: rhbz#2166283 * Wed Feb 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.7-1 - Allow staff_t getattr init pid chr & blk files and read krb5 Resolves: rhbz#2112729 - Allow firewalld to rw z90crypt device Resolves: rhbz#2166877 - Allow httpd work with tokens in /dev/shm Resolves: rhbz#2166283 * Thu Feb 09 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.6-1 - Allow modemmanager create hardware state information files Resolves: rhbz#2149560 - Dontaudit ftpd the execmem permission Resolves: rhbz#2164434 - Allow nm-dispatcher plugins read generic files in /proc Resolves: rhbz#2164845 - Label systemd-journald feature LogNamespace Resolves: rhbz#2124797 - Boolean: allow qemu-ga read ssh home directory Resolves: rhbz#1917024 * Thu Jan 26 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.5-1 - Reuse tmpfs_t also for the ramfs filesystem Resolves: rhbz#2160391 - Allow systemd-resolved watch tmpfs directories Resolves: rhbz#2160391 - Allow hostname_t to read network sysctls. Resolves: rhbz#2161958 - Allow ModemManager all permissions for netlink route socket Resolves: rhbz#2149560 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2160388 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2160388 - Allow nm-cloud-setup dispatcher plugin restart nm services Resolves: rhbz#2154414 - Allow wg to send msg to kernel, write to syslog and dbus connections Resolves: rhbz#2149452 - Allow rshim bpf cap2 and read sssd public files Resolves: rhbz#2080439 - Allow svirt request the kernel to load a module Resolves: rhbz#2144735 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2014606 * Thu Jan 12 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.4-1 - Add lpr_roles to system_r roles Resolves: rhbz#2152150 - Allow insights client work with gluster and pcp Resolves: rhbz#2152150 - Add interfaces in domain, files, and unconfined modules Resolves: rhbz#2152150 - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t Resolves: rhbz#2152150 - Add insights additional capabilities Resolves: rhbz#2152150 - Revert "Allow insights-client run lpr and allow the proper role" Resolves: rhbz#2152150 - Allow prosody manage its runtime socket files Resolves: rhbz#2157891 - Allow syslogd read network sysctls Resolves: rhbz#2156068 - Allow NetworkManager and wpa_supplicant the bpf capability Resolves: rhbz#2137085 - Allow sysadm_t read/write ipmi devices Resolves: rhbz#2158419 - Allow wireguard to create udp sockets and read net_conf Resolves: rhbz#2149452 - Allow systemd-rfkill the bpf capability Resolves: rhbz#2149390 - Allow load_policy_t write to unallocated ttys Resolves: rhbz#2145181 - Allow winbind-rpcd manage samba_share_t files and dirs Resolves: rhbz#2150680 * Thu Dec 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 38.1.3-1 - Allow stalld to read /sys/kernel/security/lockdown file Resolves: rhbz#2140673 - Allow syslog the setpcap capability Resolves: rhbz#2151841 - Allow pulseaudio to write to session_dbusd tmp socket files Resolves: rhbz#2132942 - Allow keepalived to set resource limits Resolves: rhbz#2151212 - Add policy for mptcpd Resolves: bz#1972222 - Add policy for rshim Resolves: rhbz#2080439 - Allow insights-client dbus chat with abrt Resolves: rhbz#2152166 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2152150 - Allow insights-client run lpr and allow the proper role Resolves: rhbz#2152150 - Allow insights-client tcp connect to various ports Resolves: rhbz#2152150 - Allow insights-client dbus chat with various services Resolves: rhbz#2152150 - Allow journalctl relabel with var_log_t and syslogd_var_run_t files Resolves: rhbz#2152823 * Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1.2-1 - Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2124549 - Allow insights client read raw memory devices Resolves: rhbz#2124549 - Allow networkmanager_dispatcher_plugin work with nscd Resolves: rhbz#2149317 - Allow ipsec_t only read tpm devices Resolves: rhbz#2147380 - Watch_sb all file type directories. Resolves: rhbz#2139363 - Add watch and watch_sb dosfs interface Resolves: rhbz#2139363 - Revert "define lockdown class and access" Resolves: rhbz#2145266 - Allow postfix/smtpd read kerberos key table Resolves: rhbz#2145266 - Remove the lockdown class from the policy Resolves: rhbz#2145266 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2145266 - Revert "refpolicy: drop unused socket security classes" Resolves: rhbz#2145266 * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1.1-1 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2082524 * Wed Nov 16 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.47-1 - Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2123358 - Allow chronyd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2141255 - Allow unbound connectto unix_stream_socket Resolves: rhbz#2141236 - added policy for systemd-socket-proxyd Resolves: rhbz#2141606 - Allow samba-dcerpcd use NSCD services over a unix stream socket Resolves: rhbz#2121729 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2123358 - Allow insights-client manage generic locks Resolves: rhbz#2123358 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2123358 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2123358 - Disable rpm verification on interface_info Resolves: rhbz#2134515 * Fri Nov 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.46-1 - new version Resolves: rhbz#2134827 * Thu Nov 03 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.45-1 - Add watch_sb interfaces Resolves: rhbz#2139363 - Add watch interfaces Resolves: rhbz#2139363 - Allow dhcpd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow netutils and traceroute bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pkcs_slotd_t bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow xdm bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pcscd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow lldpad bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow keepalived bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow ipsec bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow fprintd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow iptables list cgroup directories Resolves: rhbz#2134829 - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files Resolves: rhbz#2042515 - Dontaudit dirsrv search filesystem sysctl directories Resolves: rhbz#2134726 * Thu Oct 13 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.44-1 - Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2126091 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2126091 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2126091 - Allow insights-client manage samba var dirs Resolves: rhbz#2126091 - Allow rhcd compute selinux access vector Resolves: rhbz#2126091 - Add file context entries for insights-client and rhc Resolves: rhbz#2126161 - Allow pulseaudio create gnome content (~/.config) Resolves: rhbz#2132942 - Allow rhsmcertd execute gpg Resolves: rhbz#2130204 - Label ports 10161-10162 tcp/udp with snmp Resolves: rhbz#2133221 - Allow lldpad send to unconfined_t over a unix dgram socket Resolves: rhbz#2112044 - Label port 15354/tcp and 15354/udp with opendnssec Resolves: rhbz#2057501 - Allow aide to connect to systemd_machined with a unix socket. Resolves: bz#2062936 - Allow ftpd map ftpd_var_run files Resolves: bz#2124943 - Allow ptp4l respond to pmc Resolves: rhbz#2131689 - Allow radiusd connect to the radacct port Resolves: rhbz#2132424 - Allow xdm execute gnome-atspi services Resolves: rhbz#2132244 - Allow ptp4l_t name_bind ptp_event_port_t Resolves: rhbz#2130170 - Allow targetclid to manage tmp files Resolves: rhbz#2127408 - Allow sbd the sys_ptrace capability Resolves: rhbz#2124695 * Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.43-1 - Update rhcd policy for executing additional commands 5 Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2119351 - Allow rhcd create rpm hawkey logs with correct label Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 3 Resolves: rhbz#2119351 - Allow sssd to set samba setting Resolves: rhbz#2121125 - Allow journalctl read rhcd fifo files Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2121125 - Confine insights-client systemd unit Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2121125 - Allow rhcd execute all executables Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 2 Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2121125 * Mon Aug 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.42-1 - Label /var/log/rhc-worker-playbook with rhcd_var_log_t Resolves: rhbz#2119351 - Update insights-client policy (auditctl, gpg, journal) Resolves: rhbz#2107363 * Thu Aug 25 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.41-1 - Allow unconfined domains to bpf all other domains Resolves: RHBZ#2112014 - Allow stalld get and set scheduling policy of all domains. Resolves: rhbz#2105038 - Allow unconfined_t transition to targetclid_home_t Resolves: RHBZ#2106360 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118977 - Allow system_dbusd ioctl kernel with a unix stream sockets Resolves: rhbz#2085392 - Allow chronyd bind UDP sockets to ptp_event ports. Resolves: RHBZ#2118631 - Update tor_bind_all_unreserved_ports interface Resolves: RHBZ#2089486 - Remove permissive domain for rhcd_t Resolves: rhbz#2119351 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2121125 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2121125 - Update rhcd policy for executing additional commands Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Add rpm setattr db files macro Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507

Main Site Links:

Information for build selinux-policy-38.1.44-1.el9