selinux-policy-41.34-1.fc42 RPM for noarch

From Fedora 42 testing updates for aarch64 / Packages / s

SELinux core policy package.
Originally based off of reference policy,
the policy has been adjusted to provide support for Fedora.

Provides

• selinux-policy
• config(selinux-policy)
• rpm_macro(_file_context_file)
• rpm_macro(_file_context_file_pre)
• rpm_macro(_file_custom_defined_booleans)
• rpm_macro(_file_custom_defined_booleans_tmp)
• rpm_macro(_selinux_policy_version)
• rpm_macro(_selinux_store_path)
• rpm_macro(_selinux_store_policy_path)
• rpm_macro(selinux_modules_install)
• rpm_macro(selinux_modules_uninstall)
• rpm_macro(selinux_relabel_post)
• rpm_macro(selinux_relabel_pre)
• rpm_macro(selinux_requires)
• rpm_macro(selinux_set_booleans)
• rpm_macro(selinux_unset_booleans)
• selinux-policy-base

Requires

• /bin/awk
• /bin/sh
• /bin/sh
• /bin/sh
• /bin/sh
• /usr/bin/bash
• /usr/bin/sha512sum
• config(selinux-policy) = 41.34-1.fc42
• policycoreutils >= 3.8
• rpmlib(BuiltinLuaScripts) <= 4.2.2-1
• rpmlib(CompressedFileNames) <= 3.0.4-1
• rpmlib(FileDigests) <= 4.6.0-1
• rpmlib(PayloadFilesHavePrefix) <= 4.0-1
• rpmlib(PayloadIsZstd) <= 5.4.18-1
• rpmlib(RichDependencies) <= 4.12.0-1
• selinux-policy-any = 41.34-1.fc42

License

GPL-2.0-or-later

Changelog

* Fri Mar 07 2025 Zdenek Pytela <zpytela@redhat.com> - 41.34-1
  - Add context for plymouth debug log files
  - Allow rlimit inheritance for domains transitioning to local_login_t
  - Update insights-core policy
  - Allow insights-core map all non-security files
  - Allow insights-core map audit config and log files
  - Allow insights-client manage insights_client_var_log_t files
  - Remove duplicate dev_rw_dma_dev(xdm_t)
  - Allow thumbnailer read and write the dma device
  - Allow named_filetrans_domain filetrans raid/mdadm named content
  - Allow afterburn to mount and read config drives
  - Allow mptcpd the net_admin capability
* Fri Feb 07 2025 Zdenek Pytela <zpytela@redhat.com> - 41.33-1
  - Allow systemd-networkd the sys_admin capability
  - Update systemd-networkd policy in systemd v257
  - Separate insights-core from insights-client
  - Removed unused insights_client interfaces calls from other modules
  - Update policy for insights_client wrt new rules for insights_core_t
  - Add policy for insights-core
  - Allow systemd-networkd use its private tmpfs files
  - Allow boothd connect to systemd-machined over a unix socket
  - Update init_explicit_domain() interface
  - Allow tlp to read/write nmi_watchdog state information
  - Allow power-profiles-daemon the bpf capability
  - Allow svirt_t to connect to nbdkit over a unix stream socket
  - Update ktlshd policy to read /proc/keys and domain keyrings
  - Allow virt_domain read hardware state information unconditionally
  - Allow init mounton crypto sysctl files
  - Rename winbind_rpcd_* types to samba_dcerpcd_*
  - Support peer-to-peer migration of vms using ssh
* Wed Feb 05 2025 Zdenek Pytela <zpytela@redhat.com> - 41.32-1
  - Allow virtqemud use hostdev usb devices conditionally
  - Allow virtqemud map svirt_image_t plain files
  - Allow virtqemud work with nvdimm devices
  - Support saving and restoring a VM to/from a block device
  - Allow virtnwfilterd dbus chat with firewalld
  - Dontaudit systemd-logind remove all files
  - Add the files_dontaudit_read_all_dirs() interface
  - Add the files_dontaudit_delete_all_files() interface
  - Allow rhsmcertd notify virt-who
  - Allow irqbalance to run unconfined scripts conditionally
* Fri Jan 31 2025 Zdenek Pytela <zpytela@redhat.com> - 41.31-1
  - Allow snapperd execute systemctl in the caller domain
  - Allow svirt_tcg_t to connect to nbdkit over a unix stream socket
  - Allow iio-sensor-proxy read iio devices
  - Label /dev/iio:device[0-9]+ devices
  - Allow systemd-coredump the sys_admin capability
  - Allow apcupsd's apccontrol to send messages using wall
  - contrib/thumb: also allow per-user thumbnailers
  - contrib/thumb: fix thunar thumbnailer (rhbz#2315893)
  - Allow virt_domain to use pulseaudio - conditional
  - Allow pcmsensor read nmi_watchdog state information
  - Allow init_t nnp domain transition to gssproxy_t
* Mon Jan 27 2025 Zdenek Pytela <zpytela@redhat.com> - 41.30-1
  - Allow systemd-generator connect to syslog over a unix stream socket
  - Allow virtqemud manage fixed disk device nodes
  - Allow iio-sensor-proxy connect to syslog over a unix stream socket
  - Allow virtstoraged write to sysfs files
  - Allow power-profiles-daemon write sysfs files
  - Update iiosensorproxy policy
  - Allow pcmsensor write nmi_watchdog state information
  - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t
  - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type
  - Add the gpg_read_user_secrets() interface
  - Allow gnome-remote-desktop read resolv.conf
  - Update switcheroo policy
  - Allow nfsidmap connect to systemd-homed over a unix socket
  - Add the auth_write_motd_var_run_files() interface
  - Add the bind_exec_named_checkconf() interface
  - Add the virt_exec_virsh() interface
* Wed Jan 15 2025 Zdenek Pytela <zpytela@redhat.com> - 41.29-1
  - Allow virtqemud domain transition to nbdkit
  - Add nbdkit interfaces defined conditionally
  - Allow samba-bgqd connect to cupsd over an unix domain stream socket
  - Confine the switcheroo-control service
  - Allow svirt_t read sysfs files
  - Add rhsmcertd interfaces
  - Add the ssh_exec_sshd() interface
  - Add the gpg_domtrans_agent() interface
  - Label /usr/bin/dnf5 with rpm_exec_t
  - Label /dev/pmem[0-9]+ with fixed_disk_device_t
  - allow kdm to create /root/.kde/ with correct label
  - Change /usr/sbin entries to use /usr/bin or remove them
  - Allow systemd-homed get filesystem quotas
  - Allow login_userdomain getattr nsfs files
  - Allow virtqemud send a generic signal to the ssh client domain
  - Dontaudit request-key read /etc/passwd
* Fri Jan 03 2025 Zdenek Pytela <zpytela@redhat.com> - 41.28-1
  - Update virtqemud policy regarding the svirt_tcg_t domain
  - Allow virtqemud domain transition on numad execution
  - Support virt live migration using ssh
  - Allow virtqemud permissions needed for live migration
  - Allow virtqemud the getpgid process permission
  - Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
  - Allow virtqemud relabelfrom virt_log_t files
  - Allow virtqemud relabel tun_socket
  - Add policy for systemd-import-generator
  - Confine vsftpd systemd system generator
  - Allow virtqemud read and write sgx_vepc devices
  - Allow systemd-networkd list cgroup directories
  - Allow xdm dbus chat with power-profiles-daemon
  - Allow ssh_t read systemd config files
  - Add Valkey rules to Redis module
* Tue Dec 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.27-1
  - Update ktlsh policy
  - Allow request-key to read /etc/passwd
  - Allow request-key to manage all domains' keys
  - Add support for the KVM guest memfd anon inodes
  - Allow auditctl signal auditd
  - Dontaudit systemd-coredump the sys_resource capability
  - Allow traceroute_t bind rawip sockets to unreserved ports
  - Fix the cups_read_pid_files() interface to use read_files_pattern
  - Allow virtqemud additional permissions for tmpfs_t blk devices
  - Allow virtqemud rw access to svirt_image_t chr files
  - Allow virtqemud rw and setattr access to fixed block devices
  - Label /etc/mdevctl.d/scripts.d with bin_t
  - Allow virtqemud open svirt_devpts_t char files
  - Allow virtqemud relabelfrom virt_log_t files
  - Allow svirt_tcg_t read virtqemud_t fifo_files
  - Allow virtqemud rw and setattr access to sev devices
  - Allow virtqemud directly read and write to a fixed disk
  - Allow virtqemud_t relabel virt_var_lib_t files
  - Allow virtqemud_t relabel virtqemud_var_run_t sock_files
  - Add gnome_filetrans_gstreamer_admin_home_content() interface
  - Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t
  - Make bootupd_t permissive
  - Allow init_t nnp domain transition to locate_t
  - allow gdm and iiosensorproxy talk to each other via D-bus
  - Allow systemd-journald getattr nsfs files
  - Allow sendmail to map mail server configuration files
  - Allow procmail to read mail aliases
  - Allow cifs.idmap helper to set attributes on kernel keys
  - Allow irqbalance setpcap capability in the user namespace
  - Allow sssd_selinux_manager_t the setcap process permission
  - Allow systemd-sleep manage efivarfs files
  - Allow systemd-related domains getattr nsfs files
  - Allow svirt_t the sys_rawio capability
  - Allow alsa watch generic device directories
  - Move systemd-homed interfaces to seperate optional_policy block
  - Update samba-bgqd policy
  - Update virtlogd policy
  - Allow svirt_t the sys_rawio capability
  - Allow qemu-ga the dac_override and dac_read_search capabilities
  - Allow bacula execute container in the container domain
  - Allow httpd get attributes of dirsrv unit files
  - Allow samba-bgqd read cups config files
  - Add label rshim_var_run_t for /run/rshim.pid
* Mon Dec 02 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.26-2
  - Rebuild with SELinux Userspace 3.8
* Tue Nov 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.26-1
  - [5/5][sync from 'mysql-selinux'] Add mariadb-backup
  - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock'
  - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2
  - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705
  - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname'
  - Allow systemd-networkd read mount pid files
  - Update policy for samba-bgqd
  - Allow chronyd read networkmanager's pid files
  - Allow staff user connect to generic tcp ports
  - Allow gnome-remote-desktop dbus chat with policykit
  - Allow tlp the setpgid process permission
  - Update the bootupd policy
  - Allow sysadm_t use the io_uring API
  - Allow sysadm user dbus chat with virt-dbus
  - Allow virtqemud_t read virsh_t files
  - Allow virt_dbus_t connect to virtd_t over a unix stream socket
  - Allow systemd-tpm2-generator read hardware state information
  - Allow coreos-installer-generator execute generic programs
  - Allow coreos-installer domain transition on udev execution
  - Revert "Allow unconfined_t execute kmod in the kmod domain"
  - Allow iio-sensor-proxy create and use unix dgram socket
  - Allow virtstoraged read vm sysctls
  - Support ssh connections via systemd-ssh-generator
  - Label all semanage store files in /etc as semanage_store_t
  - Add file transition for nvidia-modeset
* Fri Oct 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.25-1
  - Allow dirsrv-snmp map dirsv_tmpfs_t files
  - Label /usr/lib/node_modules_22/npm/bin with bin_t
  - Add policy for /usr/libexec/samba/samba-bgqd
  - Allow gnome-remote-desktop watch /etc directory
  - Allow rpcd read network sysctls
  - Allow journalctl connect to systemd-userdbd over a unix socket
  - Allow some confined users send to lldpad over a unix dgram socket
  - Allow lldpad send to unconfined_t over a unix dgram socket
  - Allow lldpd connect to systemd-machined over a unix socket
  - Confine the ktls service
* Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 41.24-1
  - Allow dirsrv read network sysctls
  - Label /run/sssd with sssd_var_run_t
  - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
  - Allow unconfined_t execute kmod in the kmod domain
  - Allow confined users r/w to screen unix stream socket
  - Label /root/.screenrc and /root/.tmux.conf with screen_home_t
  - Allow virtqemud read virtd_t files
  - Allow ping_t read network sysctls
* Mon Oct 21 2024 Zdenek Pytela <zpytela@redhat.com> - 41.23-1
  - Allow systemd-homework connect to init over a unix socket
  - Fix systemd-homed blobs directory permissions
  - Allow virtqemud read sgx_vepc devices
  - Allow lldpad create and use netlink_generic_socket
* Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.22-1
  - Allow systemd-homework write to init pid socket
  - Allow init create /var/cache/systemd/home
  - Confine the pcm service
  - Allow login_userdomain read thumb tmp files
  - Update power-profiles-daemon policy
  - Fix the /etc/mdevctl\.d(/.*)? regexp
  - Grant rhsmcertd chown capability & userdb access
  - Allow iio-sensor-proxy the bpf capability
  - Allow systemd-machined the kill user-namespace capability
* Fri Oct 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.21-1
  - Remove the fail2ban module sources
  - Remove the linuxptp module sources
  - Remove legacy rules for slrnpull
  - Remove the aiccu module sources
  - Remove the bcfg2 module sources
  - Remove the amtu module sources
  - Remove the rhev module sources
  - Remove all file context entries for /bin and /lib
  - Allow ptp4l the sys_admin capability
  - Confine power-profiles-daemon
  - Label /var/cache/systemd/home with systemd_homed_cache_t
  - Allow login_userdomain connect to systemd-homed over a unix socket
  - Allow boothd connect to systemd-homed over a unix socket
  - Allow systemd-homed get attributes of a tmpfs filesystem
  - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
  - Allow aide connect to systemd-homed over a unix socket
  - Label /dev/hfi1_[0-9]+ devices
  - Suppress semodule's stderr
* Thu Oct 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.20-1
  - Remove the openct module sources
  - Remove the timidity module sources
  - Enable the slrn module
  - Remove i18n_input module sources
  - Enable the distcc module
  - Remove the ddcprobe module sources
  - Remove the timedatex module sources
  - Remove the djbdns module sources
  - Confine iio-sensor-proxy
  - Allow staff user nlmsg_write
  - Update policy for xdm with confined users
  - Allow virtnodedev watch mdevctl config dirs
  - Allow ssh watch home config dirs
  - Allow ssh map home configs files
  - Allow ssh read network sysctls
  - Allow chronyc sendto to chronyd-restricted
  - Allow cups sys_ptrace capability in the user namespace
* Tue Sep 24 2024 Zdenek Pytela <zpytela@redhat.com> - 41.19-1
  - Add policy for systemd-homed
  - Remove fc entry for /usr/bin/pump
  - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
  - Allow accountsd read gnome-initial-setup tmp files
  - Allow xdm write to gnome-initial-setup fifo files
  - Allow rngd read and write generic usb devices
  - Allow qatlib search the content of the kernel debugging filesystem
  - Allow qatlib connect to systemd-machined over a unix socket
* Wed Sep 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.18-1
  - Drop ru man pages
  - mls/modules.conf - fix typo
  - Allow unprivileged user watch /run/systemd
  - Allow boothd connect to kernel over a unix socket
* Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.17-2
  - Relabel /etc/mdevctl.d
* Thu Sep 12 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.17-1
  - Clean up and sync securetty_types
  - Bring config files from dist-git into the source repo
  - Confine gnome-remote-desktop
  - Allow virtstoraged execute mount programs in the mount domain
  - Make mdevctl_conf_t member of the file_type attribute
* Fri Sep 06 2024 Zdenek Pytela <zpytela@redhat.com> - 41.16-1
  - Label /etc/mdevctl.d with mdevctl_conf_t
  - Sync users with Fedora targeted users
  - Update policy for rpc-virtstorage
  - Allow virtstoraged get attributes of configfs dirs
  - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command
  - Update bootupd policy when ESP is not mounted
  - Allow thumb_t map dri devices
  - Allow samba use the io_uring API
  - Allow the sysadm user use the secretmem API
  - Allow nut-upsmon read systemd-logind session files
  - Allow sysadm_t to create PF_KEY sockets
  - Update bootupd policy for the removing-state-file test
  - Allow coreos-installer-generator manage mdadm_conf_t files
* Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 41.15-1
  - Allow setsebool_t relabel selinux data files
  - Allow virtqemud relabelfrom virtqemud_var_run_t dirs
  - Use better escape method for "interface"
  - Allow init and systemd-logind to inherit fds from sshd
  - Allow systemd-ssh-generator read sysctl files
  - Sync modules.conf with Fedora targeted modules
  - Allow virtqemud relabel user tmp files and socket files
  - Add missing sys_chroot capability to groupadd policy
  - Label /run/libvirt/qemu/channel with virtqemud_var_run_t
  - Allow virtqemud relabelfrom also for file and sock_file
  - Add virt_create_log() and virt_write_log() interfaces
  - Call binaries without full path
* Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 41.14-1
  - Update libvirt policy
  - Add port 80/udp and 443/udp to http_port_t definition
  - Additional updates stalld policy for bpf usage
  - Label systemd-pcrextend and systemd-pcrlock properly
  - Allow coreos_installer_t work with partitions
  - Revert "Allow coreos-installer-generator work with partitions"
  - Add policy for systemd-pcrextend
  - Update policy for systemd-getty-generator
  - Allow ip command write to ipsec's logs
  - Allow virt_driver_domain read virtd-lxc files in /proc
  - Revert "Allow svirt read virtqemud fifo files"
  - Update virtqemud policy for libguestfs usage
  - Allow virtproxyd create and use its private tmp files
  - Allow virtproxyd read network state
  - Allow virt_driver_domain create and use log files in /var/log
  - Allow samba-dcerpcd work with ctdb cluster
* Tue Aug 06 2024 Zdenek Pytela <zpytela@redhat.com> - 41.13-1
  - Allow NetworkManager_dispatcher_t send SIGKILL to plugins
  - Allow setroubleshootd execute sendmail with a domain transition
  - Allow key.dns_resolve set attributes on the kernel key ring
  - Update qatlib policy for v24.02 with new features
  - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
  - Allow tlp status power services
  - Allow virtqemud domain transition on passt execution
  - Allow virt_driver_domain connect to systemd-userdbd over a unix socket
  - Allow boothd connect to systemd-userdbd over a unix socket
  - Update policy for awstats scripts
  - Allow bitlbee execute generic programs in system bin directories
  - Allow login_userdomain read aliases file
  - Allow login_userdomain read ipsec config files
  - Allow login_userdomain read all pid files
  - Allow rsyslog read systemd-logind session files
  - Allow libvirt-dbus stream connect to virtlxcd
* Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 41.12-1
  - Update bootupd policy
  - Allow rhsmcertd read/write access to /dev/papr-sysparm
  - Label /dev/papr-sysparm and /dev/papr-vpd
  - Allow abrt-dump-journal-core connect to winbindd
  - Allow systemd-hostnamed shut down nscd
  - Allow systemd-pstore send a message to syslogd over a unix domain
  - Allow postfix_domain map postfix_etc_t files
  - Allow microcode create /sys/devices/system/cpu/microcode/reload
  - Allow rhsmcertd read, write, and map ica tmpfs files
  - Support SGX devices
  - Allow initrc_t transition to passwd_t
  - Update fstab and cryptsetup generators policy
  - Allow xdm_t read and write the dma device
  - Update stalld policy for bpf usage
  - Allow systemd_gpt_generator to getattr on DOS directories
* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.11-1
  - Make cgroup_memory_pressure_t a part of the file_type attribute
  - Allow ssh_t to change role to system_r
  - Update policy for coreos generators
  - Allow init_t nnp domain transition to firewalld_t
  - Label /run/modprobe.d with modules_conf_t
  - Allow virtnodedevd run udev with a domain transition
  - Allow virtnodedev_t create and use virtnodedev_lock_t
  - Allow virtstoraged manage files with virt_content_t type
  - Allow virtqemud unmount a filesystem with extended attributes
  - Allow svirt_t connect to unconfined_t over a unix domain socket
* Mon Jul 22 2024 Zdenek Pytela <zpytela@redhat.com> - 41.10-1
  - Update afterburn file transition policy
  - Allow systemd_generator read attributes of all filesystems
  - Allow fstab-generator read and write cryptsetup-generator unit file
  - Allow cryptsetup-generator read and write fstab-generator unit file
  - Allow systemd_generator map files in /etc
  - Allow systemd_generator read init's process state
  - Allow coreos-installer-generator read sssd public files
  - Allow coreos-installer-generator work with partitions
  - Label /etc/mdadm.conf.d with mdadm_conf_t
  - Confine coreos generators
  - Label /run/metadata with afterburn_runtime_t
  - Allow afterburn list ssh home directory
  - Label samba certificates with samba_cert_t
  - Label /run/coreos-installer-reboot with coreos_installer_var_run_t
  - Allow virtqemud read virt-dbus process state
  - Allow staff user dbus chat with virt-dbus
  - Allow staff use watch /run/systemd
  - Allow systemd_generator to write kmsg
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.9-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.9-1
  - Allow virtqemud connect to sanlock over a unix stream socket
  - Allow virtqemud relabel virt_var_run_t directories
  - Allow svirt_tcg_t read vm sysctls
  - Allow virtnodedevd connect to systemd-userdbd over a unix socket
  - Allow svirt read virtqemud fifo files
  - Allow svirt attach_queue to a virtqemud tun_socket
  - Allow virtqemud run ssh client with a transition
  - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
  - Update keyutils policy
  - Allow sshd_keygen_t connect to userdbd over a unix stream socket
  - Allow postfix-smtpd read mysql config files
  - Allow locate stream connect to systemd-userdbd
  - Allow the staff user use wireshark
  - Allow updatedb connect to userdbd over a unix stream socket
  - Allow gpg_t set attributes of public-keys.d
  - Allow gpg_t get attributes of login_userdomain stream
  - Allow systemd_getty_generator_t read /proc/1/environ
  - Allow systemd_getty_generator_t to read and write to tty_device_t
* Thu Jul 11 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-4
  - Move %postInstall to %posttrans
  - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)`
  - Drop obsolete modules from config
  - Install dnf protected files only when policy is built
* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-3
  - Relabel files under /usr/bin to fix stale context after sbin merge
* Wed Jul 10 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-2
  - Merge -base and -contrib
* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1
  - Drop publicfile module
  - Remove permissive domain for systemd_nsresourced_t
  - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
  - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  - Allow to create and delete socket files created by rhsm.service
  - Allow virtnetworkd exec shell when virt_hooks_unconfined is on
  - Allow unconfined_service_t transition to passwd_t
  - Support /var is empty
  - Allow abrt-dump-journal read all non_security socket files
  - Allow timemaster write to sysfs files
  - Dontaudit domain write cgroup files
  - Label /usr/lib/node_modules/npm/bin with bin_t
  - Allow ip the setexec permission
  - Allow systemd-networkd write files in /var/lib/systemd/network
  - Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1
  - Confine libvirt-dbus
  - Allow virtqemud the kill capability in user namespace
  - Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  - Allow dhcpcd the kill capability
  - Allow systemd-networkd list /var/lib/systemd/network
  - Allow sysadm_t run systemd-nsresourced bpf programs
  - Update policy for systemd generators interactions
  - Allow create memory.pressure files with cgroup_memory_pressure_t
  - Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1
  - Allow certmonger read and write tpm devices
  - Allow all domains to connect to systemd-nsresourced over a unix socket
  - Allow systemd-machined read the vsock device
  - Update policy for systemd generators
  - Allow ptp4l_t request that the kernel load a kernel module
  - Allow sbd to trace processes in user namespace
  - Allow request-key execute scripts
  - Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1
  - Update policy for systemd-nsresourced
  - Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1
  - Allow login_userdomain execute systemd-tmpfiles in the caller domain
  - Allow virt_driver_domain read files labeled unconfined_t
  - Allow virt_driver_domain dbus chat with policykit
  - Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  - Add rules for interactions between generators
  - Label memory.pressure files with cgroup_memory_pressure_t
  - Revert "Allow some systemd services write to cgroup files"
  - Update policy for systemd-nsresourced
  - Label /usr/bin/ntfsck with fsadm_exec_t
  - Allow systemd_fstab_generator_t read tmpfs files
  - Update policy for systemd-nsresourced
  - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  - Remove a few lines duplicated between {dkim,milter}.fc
  - Alias /bin → /usr/bin and remove redundant paths
  - Drop duplicate line for /usr/sbin/unix_chkpwd
  - Drop duplicate paths for /usr/sbin
* Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1
  - Update systemd-generator policy
  - Remove permissive domain for bootupd_t
  - Remove permissive domain for coreos_installer_t
  - Remove permissive domain for afterburn_t
  - Add the sap module to modules.conf
  - Move unconfined_domain(sap_unconfined_t) to an optional block
  - Create the sap module
  - Allow systemd-coredumpd sys_admin and sys_resource capabilities
  - Allow systemd-coredump read nsfs files
  - Allow generators auto file transition only for plain files
  - Allow systemd-hwdb write to the kernel messages device
  - Escape "interface" as a file name in a virt filetrans pattern
  - Allow gnome-software work for login_userdomain
  - Allow systemd-machined manage runtime sockets
  - Revert "Allow systemd-machined manage runtime sockets"
* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1
  - Allow postfix_domain connect to postgresql over a unix socket
  - Dontaudit systemd-coredump sys_admin capability
  - Allow all domains read and write z90crypt device
  - Allow tpm2 generator setfscreate
  - Allow systemd (PID 1) manage systemd conf files
  - Allow pulseaudio map its runtime files
  - Update policy for getty-generator
  - Allow systemd-hwdb send messages to kernel unix datagram sockets
  - Allow systemd-machined manage runtime sockets
* Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1
  - Allow fstab-generator create unit file symlinks
  - Update policy for cryptsetup-generator
  - Update policy for fstab-generator
  - Allow virtqemud read vm sysctls
  - Allow collectd to trace processes in user namespace
  - Allow bootupd search efivarfs dirs
  - Add policy for systemd-mountfsd
  - Add policy for systemd-nsresourced
  - Update policy generators
  - Add policy for anaconda-generator
  - Update policy for fstab and gpt generators
  - Add policy for kdump-dep-generator

Files

/etc/selinux
/etc/selinux/config
/etc/sysconfig/selinux
/usr/lib/rpm/macros.d/macros.selinux-policy
/usr/lib/systemd/system/selinux-check-proper-disable.service
/usr/lib/tmpfiles.d/selinux-policy.conf
/usr/libexec/selinux/binsbin-convert.sh
/usr/libexec/selinux/varrun-convert.sh
/usr/share/licenses/selinux-policy
/usr/share/licenses/selinux-policy/COPYING
/usr/share/selinux
/usr/share/selinux/packages

Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Mar 14 01:17:55 2025