Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

selinux-policy-devel-34.20-1.fc34 RPM for noarch

From Fedora 34 testing updates for x86_64 / Packages / s

Name: selinux-policy-devel Distribution: Fedora Project
Version: 34.20 Vendor: Fedora Project
Release: 1.fc34 Build date: Fri Sep 17 17:16:57 2021
Group: Unspecified Build host:
Size: 14136638 Source RPM: selinux-policy-34.20-1.fc34.src.rpm
Packager: Fedora Project
Summary: SELinux policy development files
SELinux policy development package.
This package contains:
- interfaces, macros, and patterns for policy development
- a policy example
- the macro-expander utility
and some additional files.






* Thu Sep 16 2021 Zdenek Pytela <> - 34.20-1
  - cleanup unused codes
  - Fix typo in the gnome_exec_atspi() interface summary
  - Allow xdm execute gnome-atspi services
  - Allow gnome at-spi processes execute dbus-daemon in caller domain
  - Allow xdm watch dbus configuration
  - Allow xdm execute dbus-daemon in the caller domain
  - Revert "Allow xdm_t transition to system_dbusd_t"
  - Allow at-spi-bus-launcher read and map xdm pid files
  - Allow dhcpcd set its resource limits
  - Allow systemd-sleep get removable devices attributes
  - Allow usbmuxd get attributes of fs_t filesystems
* Thu Sep 09 2021 Zdenek Pytela <> - 34.19-1
  - Update the dhcp client local policy
  - Allow firewalld load kernel modules
  - Allow postfix_domain to sendto unix dgram sockets.
  - Allow systemd watch unallocated ttys
* Tue Sep 07 2021 Zdenek Pytela <> - 34.18-1
  - Allow ModemManager create a qipcrtr socket
  - Allow ModemManager request to load a kernel module
  - Label /usr/sbin/virtproxyd as virtd_exec_t
  - Allow communication between at-spi and gdm processes
  - Update ica_filetrans_named_content() with create_file_perms
  - Fix the gnome_atspi_domtrans() interface summary
* Fri Aug 27 2021 Zdenek Pytela <> - 34.17-2
  - Relabel /var/lib/rpm explicitly
  - Revert "Relabel /dev/dma_heap explicitly"
  - Add ica module to modules-targeted-contrib.conf
* Fri Aug 27 2021 Zdenek Pytela <> - 34.17-1
  - Add support for at-spi
  - Add permissions for system dbus processes
  - Allow various domains work with ICA crypto accelerator
  - Add ica module
  - Revert "Support using ICA crypto accelerator on s390x arch"
  - Allow systemd to delete fwupd var cache files
  - Allow vmtools_unconfined_t domain transition to rpm_script_t
  - Allow dirsrv read slapd tmpfs files
  - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label"
  - Rename samba_exec() to samba_exec_net()
  - Support using ICA crypto accelerator on s390x arch
  - Allow systemd delete /run/systemd/default-hostname
  - Allow tcpdump read system state information in /proc
  - Allow rhsmcertd to create cache file in /var/cache/cloud-what
  - Allow D-bus communication between avahi and sosreport
  - Label /usr/libexec/gdm-runtime-config with xdm_exec_t
  - Allow lldpad send to kdumpctl over a unix dgram socket
  - Revert "Allow lldpad send to kdump over a unix dgram socket"
  - Allow chronyc respond to a user chronyd instance
  - Allow ptp4l respond to pmc
  - Allow lldpad send to unconfined_t over a unix dgram socket
  - Allow sssd to set samba setting
* Thu Aug 12 2021 Zdenek Pytela <> - 34.16-1
  - Allow systemd-timesyncd watch system dbus pid socket files
  - Allow firewalld drop capabilities
  - Allow rhsmcertd execute gpg
  - Allow lldpad send to kdump over a unix dgram socket
  - Allow systemd-gpt-auto-generator read udev pid files
  - Set default file context for /sys/firmware/efi/efivars
  - Allow tcpdump run as a systemd service
  - Allow nmap create and use netlink generic socket
  - Allow nscd watch system db files in /var/db
  - Allow cockpit_ws_t get attributes of fs_t filesystems
  - Allow sysadm acces to kernel module resources
  - Allow sysadm to read/write scsi files and manage shadow
  - Allow sysadm access to files_unconfined and bind rpc ports
  - Allow sysadm read and view kernel keyrings
  - Allow journal mmap and read var lib files
  - Allow tuned to read rhsmcertd config files
  - Allow bootloader to read tuned etc files
  - Label /usr/bin/qemu-storage-daemon with virtd_exec_t
* Fri Aug 06 2021 Zdenek Pytela <> - 34.15-1
  - Disable seccomp on CI containers
  - Allow systemd-machined stop generic service units
  - Allow virtlogd_t read process state of user domains
  - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
  - Label /dev/crypto/nx-gzip with accelerator_device_t
  - Update the policy for systemd-journal-upload
  - Allow unconfined domains to bpf all other domains
  - Confine rhsm service and rhsm-facts service as rhsmcertd_t
  - Allow fcoemon talk with unconfined user over unix domain datagram socket
  - Allow abrt_domain read and write z90crypt device
  - Allow mdadm read iscsi pid files
  - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
  - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
  - Allow hostapd bind UDP sockets to the dhcpd port
  - Unconfined domains should not be confined
* Wed Jul 14 2021 Zdenek Pytela <> - 34.14-1
  - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
  - Remove references to init_watch_path_type attribute
  - Remove all redundant watch permissions for systemd
  - Allow systemd watch non_security_file_type dirs, files, lnk_files
  - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
  - Allow bacula get attributes of cgroup filesystems
  - Allow systemd-journal-upload watch logs and journal
  - Create a policy for systemd-journal-upload
  - Allow tcpdump and nmap get attributes of infiniband_device_t
  - Allow arpwatch get attributes of infiniband_device_t devices
  - Label /dev/wmi/dell-smbios as acpi_device_t
* Thu Jul 01 2021 Zdenek Pytela <> - 34.13-1
  - Allow radius map its library files
  - Allow nftables read NetworkManager unnamed pipes
  - Allow logrotate rotate container log files
* Tue Jun 22 2021 Zdenek Pytela <> - 34.12-2
  - Add a systemd service to check that SELinux is disabled properly
  - specfile: Add unowned dir to the macro
  - Relabel /dev/dma_heap explicitly
* Mon Jun 21 2021 Zdenek Pytela <> - 34.12-1
  - Label /dev/dma_heap/* char devices with dma_device_t
  - Revert "Label /dev/dma_heap/* char devices with dma_device_t"
  - Revert "Label /dev/dma_heap with dma_device_dir_t"
  - Revert "Associate dma_device_dir_t with device filesystem"
  - Add the lockdown integrity permission to dev_map_userio_dev()
  - Allow systemd-modules-load read/write tracefs files
  - Allow sssd watch /run/systemd
  - Label /usr/bin/arping plain file with netutils_exec_t
  - Label /run/fsck with fsadm_var_run_t
  - Label /usr/bin/Xwayland with xserver_exec_t
  - Allow systemd-timesyncd watch dbus runtime dir
  - Allow asterisk watch localization files
  - Allow iscsid read all process stat
  - iptables.fc: Add missing legacy-restore and legacy-save entries
  - Label /run/libvirt/common with virt_common_var_run_t
  - Label /.k5identity file allow read of this file to rpc.gssd
  - Make usbmuxd_t a daemon
* Wed Jun 09 2021 Zdenek Pytela <> - 34.11-1
  - Allow sanlock get attributes of cgroup filesystems
  - Associate dma_device_dir_t with device filesystem
  - Set default file context for /var/run/systemd instead of /run/systemd
  - Allow nmap create and use rdma socket
  - Allow pkcs-slotd create and use netlink_kobject_uevent_socket
* Sun Jun 06 2021 Zdenek Pytela <> - 34.10-1
  - Allow using opencryptoki for ipsec
  - Allow using opencryptoki for certmonger
  - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
  - Label /dev/dma_heap with dma_device_dir_t
  - Allow syslogd watch non security dirs conditionally
  - Introduce logging_syslogd_list_non_security_dirs tunable
  - Remove openhpi module
  - Allow udev to watch fixed disk devices
  - Allow httpd_sys_script_t read, write, and map hugetlbfs files
  - Allow apcupsd get attributes of cgroup filesystems
* Thu May 27 2021 Zdenek Pytela <> - 34.9-1
  - Add kerberos object filetrans for nsswitchdomain
  - Allow fail2ban watch various log files
  - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
  - Remove further modules recently removed from refpolicy
  - Remove modules not shipped and not present in refpolicy
  - Revert "Add permission open to files_read_inherited_tmp_files() interface"
  - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
  - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
  - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
  - Dontaudit setrlimit for domains that exec systemctl
  - Allow kdump_t net_admin capability
  - Allow nsswitch_domain read init pid lnk_files
  - Label /dev/trng with random_device_t
  - Label /run/systemd/default-hostname with hostname_etc_t
  - Add default file context specification for dnf log files
  - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
  - Label /dev/udmabuf character device with dma_device_t
  - Label /dev/dma_heap/* char devices with dma_device_t
  - Label /dev/acpi_thermal_rel char device with acpi_device_t
* Thu May 20 2021 Zdenek Pytela <> - 34.8-1
  - Allow local_login_t nnp_transition to login_userdomain
  - Allow asterisk watch localization symlinks
  - Allow NetworkManager_t to watch /etc
  - Label /var/lib/kdump with kdump_var_lib_t
  - Allow amanda get attributes of cgroup filesystems
  - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
  - Allow install_t nnp_domtrans to setfiles_mac_t
  - Allow fcoemon create sysfs files
* Thu May 13 2021 Zdenek Pytela <> - 34.7-1
  - Allow tgtd read and write infiniband devices
  - Add a comment on virt_sandbox booleans with empty content
  - Deprecate duplicate dev_write_generic_sock_files() interface
  - Allow vnstatd_t map vnstatd_var_lib_t files
  - Allow privoxy execmem
  - Allow pmdakvm read information from the debug filesystem
  - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
  - Add permissions to delete lnk_files into gnome_delete_home_config()
  - Remove rules for inotifyfs
  - Remove rules for anon_inodefs
  - Allow systemd nnp_transition to login_userdomain
  - Allow unconfined_t write other processes perf_event records
  - Allow sysadm_t dbus chat with tuned
  - Allow tuned write profile files with file transition
  - Allow tuned manage perf_events
  - Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
* Fri May 07 2021 Zdenek Pytela <> - 34.6-1
  - Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
  - Add kernel_write_perf_event() and kernel_manage_perf_event()
  - Allow syslogd_t watch root and var directories
  - Allow unconfined_t read other processes perf_event records
  - Allow login_userdomain read and map /var/lib/systemd files
  - Allow NetworkManager watch its config dir
  - Allow NetworkManager read and write z90crypt device
  - Allow tgtd create and use rdma socket
  - Allow aide connect to init with a unix socket
* Tue May 04 2021 Zdenek Pytela <> - 34.5-1
  - Grant execmem to varnishlog_t
  - We no longer need signull for varnishlog_t
  - Add map permission to varnishd_read_lib_files
  - Allow systemd-sleep tlp_filetrans_named_content()
  - Allow systemd-sleep execute generic programs
  - Allow systemd-sleep execute shell
  - Allow to sendmail read/write kerberos host rcache files
  - Allow freshclam get attributes of cgroup filesystems
  - Fix context of /run/systemd/timesync
  - Allow udev create /run/gdm with proper type
  - Allow chronyc socket file transition in user temp directory
  - Allow virtlogd_t to create virt_var_lockd_t dir
  - Allow pluto IKEv2 / ESP over TCP
* Tue Apr 27 2021 Zdenek Pytela <> - 34.4-1
  - Allow domain create anonymous inodes
  - Add anon_inode class to the policy
  - Allow systemd-coredump getattr nsfs files and net_admin capability
  - Allow systemd-sleep transition to sysstat_t
  - Allow systemd-sleep transition to tlp_t
  - Allow systemd-sleep transition to unconfined_service_t on bin_t executables
  - Allow systemd-timedated watch runtime dir and its parent
  - Allow system dbusd read /var/lib symlinks
  - Allow unconfined_service_t confidentiality and integrity lockdown
  - Label /var/lib/brltty with brltty_var_lib_t
  - Allow domain and unconfined_domain_type watch /proc/PID dirs
  - Additional permission for confined users loging into graphic session
  - Make for screen fsetid/setuid/setgid permission conditional
  - Allow for confined users acces to wtmp and run utempter
* Fri Apr 09 2021 Zdenek Pytela <> - 34.3-1
  - Label /etc/redis as redis_conf_t
  - Add brltty new permissions required by new upstream version
  - Allow cups-lpd read its private runtime socket files
  - Dontaudit daemon open and read init_t file
  - Add file context specification for /var/tmp/tmp-inst
  - Allow brltty create and use bluetooth_socket
  - Allow usbmuxd get attributes of cgroup filesystems
* Tue Apr 06 2021 Zdenek Pytela <> - 34.2-1
  - Allow usbmuxd get attributes of cgroup filesystems
  - Allow accounts-daemon get attributes of cgroup filesystems
  - Allow pool-geoclue get attributes of cgroup filesystems
  - allow systemd-sleep to set timer for suspend-then-hibernate
  - Allow aide connect to systemd-userdbd with a unix socket
  - Add new interfaces with watch_mount and watch_with_perm permissions
  - Add file context specification for /usr/libexec/realmd
  - Allow /tmp file transition for dbus-daemon also for sock_file
  - Allow login_userdomain create cgroup files
  - Allow plymouthd_t exec generic program in bin directories
* Thu Apr 01 2021 Zdenek Pytela <> - 34.1-1
  - Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela <> - 3.14.7-30
  - Allow plymouthd_t exec generic program in bin directories
  - Allow dhcpc_t domain transition to chronyc_t
  - Allow login_userdomain bind xmsg port
  - Allow ibacm the net_raw and sys_rawio capabilities
  - Allow nsswitch_domain read cgroup files
  - Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela <> - 3.14.7-29
  - Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela <> - 3.14.7-28
  - Allow arpwatch_t create netlink generic socket
  - Allow postgrey read network state
  - Add watch_mount_dirs_pattern file pattern
  - Allow bluetooth_t dbus chat with fwupd_t
  - Allow xdm_t watch accountsd lib directories
  - Add additional interfaces for watching /boot
  - Allow sssd_t get attributes of tmpfs filesystems
  - Allow local_login_t get attributes of tmpfs filesystems
* Tue Mar 23 2021 Zdenek Pytela <> - 3.14.7-27
  - Dontaudit domain the fowner capability
  - Extend fs_manage_nfsd_fs() to allow managing dirs as well
  - Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela <> - 3.14.7-26
  - Allow xdm_t watch systemd-logind session dirs
  - Allow xdm_t transition to system_dbusd_t
  - Allow confined users login into graphic session
  - Allow login_userdomain watch systemd login session dirs
  - install_t: Allow NoNewPriv transition from systemd
  - Remove setuid/setgid capabilities from mysqld_t
  - Add context for new mariadbd executable files
  - Allow netutils_t create netlink generic socket
  - Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela <> - 3.14.7-25
  - Allow polkit-agent-helper-1 read logind sessions files
  - Allow polkit-agent-helper read init state
  - Allow login_userdomain watch generic device dirs
  - Allow login_userdomain listen on bluetooth sockets
  - Allow user_t and staff_t bind netlink_generic_socket
  - Allow login_userdomain write inaccessible nodes
  - Allow transition from xdm domain to unconfined_t domain.
  - Add 'make validate' step to CI
  - Disallow user_t run su/sudo and staff_t run su
  - Fix typo in rsyncd.conf in rsync.if
  - Add an alias for nvme_device_t
  - Allow systemd watch and watch_reads unallocated ttys
* Tue Mar 02 2021 Zdenek Pytela <> - 3.14.7-24
  - Allow apmd watch generic device directories
  - Allow kdump load a new kernel
  - Add confidentiality lockdown permission to kernel_read_core_if()
  - Allow keepalived read nsfs files
  - Allow local_login_t get attributes of filesystems with ext attributes
  - Allow keepalived read/write its private memfd: objects
  - Add missing declaration in rpm_named_filetrans()
  - Change param description in cron interfaces to userdomain_prefix
* Tue Feb 23 2021 Zdenek Pytela <> - 3.14.7-23
  - iptables.fc: Add missing legacy entries
  - iptables.fc: Remove some duplicate entries
  - iptables.fc: Remove duplicate file context entries
  - Allow libvirtd to create generic netlink sockets
  - Allow libvirtd the fsetid capability
  - Allow libvirtd to read /run/utmp
  - Dontaudit sys_ptrace capability when calling systemctl
  - Allow udisksd to read /dev/random
  - Allow udisksd to watch files under /run/mount
  - Allow udisksd to watch /etc
  - Allow crond to watch user_cron_spool_t directories
  - Allow accountsd watch xdm config directories
  - Label /etc/avahi with avahi_conf_t
  - Allow sssd get cgroup filesystems attributes and search cgroup dirs
  - Allow systemd-hostnamed read udev runtime data
  - Remove dev_getattr_sysfs_fs() interface calls for particular domains
  - Allow domain stat the /sys filesystem
  - Dontaudit NetworkManager write to initrc_tmp_t pipes
  - policykit.te: Clean up watch rule for policykit_auth_t
  - Revert further unnecessary watch rules
  - Revert "Allow getty watch its private runtime files"
  - Allow systemd watch generic /var directories
  - Allow init watch network config files and lnk_files
* Fri Feb 19 2021 Zdenek Pytela <> - 3.14.7-22
  - Allow systemd-sleep get attributes of fixed disk device nodes
  - Complete initial policy for systemd-coredump
  - Label SDC(scini) Dell Driver
  - Allow upowerd to send syslog messages
  - Remove the disk write permissions from tlp_t
  - Label NVMe devices as fixed_disk_device_t
  - Allow rhsmcertd bind tcp sockets to a generic node
  - Allow systemd-importd manage machines.lock file
  - Allow unconfined integrity lockdown permission
  - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
  - Allow systemd-machined manage systemd-userdbd runtime sockets
  - Enable systemd-sysctl domtrans for udev
  - Introduce kernel_load_unsigned_module interface and use it for couple domains
  - Allow gpg watch user gpg secrets dirs
  - Build also the container module in CI
  - Remove duplicate code from kernel.te
  - Allow restorecond to watch all non-auth directories
  - Allow restorecond to watch its config file
* Tue Feb 16 2021 Zdenek Pytela <> - 3.14.7-21
  - Allow unconfined integrity lockdown permission
  - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
  - Allow systemd-machined manage systemd-userdbd runtime sockets
  - Enable systemd-sysctl domtrans for udev
  - Introduce kernel_load_unsigned_module interface and use it for couple domains
  - Allow gpg watch user gpg secrets dirs
  - Build also the container module in CI
  - Remove duplicate code from kernel.te
  - Allow restorecond to watch all non-auth directories
  - Allow restorecond to watch its config file
* Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-20
  - Allow userdomain watch various filesystem objects
  - Allow systemd-logind and systemd-sleep integrity lockdown permission
  - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
  - Allow pulseaudio watch devices and systemd-logind session dirs
  - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
  - Remove duplicate files_mounton_etc(init_t) call
  - Add watch permissions to manage_* object permissions sets
  - Allow journalctl watch generic log dirs and /run/log/journal dir
  - Label /etc/resolv.conf as net_conf_t even when it's a symlink
  - Allow SSSD to watch /var/run/NetworkManager
  - Allow dnsmasq_t to watch /etc
  - Remove unnecessary lines from the new watch interfaces
  - Fix docstring for init_watch_dir()
  - Allow xdm watch its private lib dirs, /etc, /usr
* Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-19
  - Bump version as Fedora 34 has been branched off rawhide
  - Allow xdm watch its private lib dirs, /etc, /usr
  - Allow systemd-importd create /run/systemd/machines.lock file
  - Allow rhsmcertd_t read kpatch lib files
  - Add integrity lockdown permission into dev_read_raw_memory()
  - Add confidentiality lockdown permission into fs_rw_tracefs_files()
  - Allow gpsd read and write ptp4l_t shared memory.
  - Allow colord watch its private lib files and /usr
  - Allow init watch_reads mount PID files
  - Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela <> - 3.14.7-18
  - Allow lockdown confidentiality for domains using perf_event
  - define lockdown class and access
  - Add perfmon capability for all domains using perf_event
  - Allow ptp4l_t bpf capability to run bpf programs
  - Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
  - access_vectors: Add new capabilities to cap2
  - Allow systemd and systemd-resolved watch dbus pid objects
  - Add new watch interfaces in the base and userdomain policy
  - Add watch permissions for contrib packages
  - Allow xdm watch /usr directories
  - Allow getty watch its private runtime files
  - Add watch permissions for nscd and sssd
  - Add watch permissions for firewalld and NetworkManager
  - Add watch permissions for syslogd
  - Add watch permissions for systemd services
  - Allow restorecond watch /etc dirs
  - Add watch permissions for user domain types
  - Add watch permissions for init
  - Add basic watch interfaces for systemd
  - Add basic watch interfaces to the base module
  - Add additional watch object permissions sets and patterns
  - Allow init_t to watch localization symlinks
  - Allow init_t to watch mount directories
  - Allow init_t to watch cgroup files
  - Add basic watch patterns
  - Add new watch* permissions
* Fri Feb 05 2021 Zdenek Pytela <> - 3.14.7-17
  - Update .copr/ to use rawhide as DISTGIT_BRANCH
  - Dontaudit setsched for rndc
  - Allow systemd-logind destroy entries in message queue
  - Add userdom_destroy_unpriv_user_msgq() interface
  - ci: Install build dependencies from koji
  - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
  - Add new cmadmin port for bfdd dameon
  - virtiofs supports Xattrs and SELinux
  - Allow domain write to systemd-resolved PID socket files
  - Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
  - Allow rhsmcertd_t domain transition to kpatch_t
  - Revert "Add kpatch_exec() interface"
  - Revert "Allow rhsmcertd execute kpatch"
  - Allow openvswitch create and use xfrm netlink sockets
  - Allow openvswitch_t perf_event write permission
  - Add kpatch_exec() interface
  - Allow rhsmcertd execute kpatch
  - Adds rule to allow glusterd to access RDMA socket
  - radius: Lexical sort of service-specific corenet rules by service name
  - VQP: Include IANA-assigned TCP/1589
  - radius: Allow binding to the VQP port (VMPS)
  - radius: Allow binding to the BDF Control and Echo ports
  - radius: Allow binding to the DHCP client port
  - radius: Allow net_raw; allow binding to the DHCP server ports
  - Add rsync_sys_admin tunable to allow rsync sys_admin capability
  - Allow staff_u run pam_console_apply
  - Allow openvswitch_t perf_event open permission
  - Allow sysadm read and write /dev/rfkill
  - Allow certmonger fsetid capability
  - Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering <> - 3.14.7-16
  - Rebuilt for
* Fri Jan 22 2021 Petr Lautrbach <> - 3.14.7-15
  - Update specfile to not verify md5/size/mtime for active store files
  - Add /var/mnt equivalency to /mnt
  - Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela <> - 3.14.7-14
  - Allow domain read usermodehelper state information
  - Remove all kernel_read_usermodehelper_state() interface calls
  - .copr: improve timestamp format
  - Allow wireshark create and use rdma socket
  - Allow domain stat /proc filesystem
  - Remove all kernel_getattr_proc() interface calls
  - Revert "Allow passwd to get attributes in proc_t"
  - Revert "Allow dovecot_auth_t stat /proc filesystem"
  - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
  - Allow sssd read /run/systemd directory
  - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela <> - 3.14.7-13
  - Label /dev/isst_interface as cpu_device_t
  - Dontaudit firewalld dac_override capability
  - Allow ipsec set the context of a SPD entry to the default context
  - Build binary RPMs in CI
  - Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela <> - 3.14.7-12
  - Allow dovecot_auth_t stat /proc filesystem
  - Allow sysadm_u user and unconfined_domain_type manage perf_events
  - Allow pcp-pmcd manage perf_events
  - Add manage_perf_event_perms object permissions set
  - Add perf_event access vectors.
  - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
  - Allow stub-resolv.conf to be a symlink
  - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
  - Create the systemd_dbus_chat_resolved() compatibility interface
  - Allow nsswitch-domain write to systemd-resolved PID socket files
  - Add systemd_resolved_write_pid_sock_files() interface
  - Add default file context for "/var/run/chrony-dhcp(/.*)?"
  - Allow timedatex dbus chat with cron system domain
  - Add cron_dbus_chat_system_job() interface
  - Allow systemd-logind manage init's pid files
* Wed Dec 09 2020 Zdenek Pytela <> - 3.14.7-11
  - Allow systemd-logind manage init's pid files
  - Allow tcsd the setgid capability
  - Allow systemd-resolved manage its private runtime symlinks
  - Update systemd_resolved_read_pid() to also read symlinks
  - Update systemd-sleep policy
  - Add groupadd_t fowner capability
  - Migrate to GitHub Actions
  - Update to reflect the state after contrib and base merge
  - Add announcing merging of selinux-policy and selinux-policy-contrib
  - Adapt .travis.yml to contrib merge
  - Merge contrib into the main repo
  - Prepare to merge contrib repo
  - Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela <> - 3.14.7-10
  - Allow Xephyr connect to 6000/tcp port and open user ptys
  - Allow kexec manage generic tmp files
  - Update targetd nfs & lvm
  - Add interface rpc_manage_exports
  - Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela <> - 3.14.7-9
  - Allow varnish map its private tmp files
  - Allow dovecot bind to smtp ports
  - Change fetchmail temporary files path to /var/spool/mail
  - Allow cups_pdf_t domain to communicate with unix_dgram_socket
  - Set file context for symlinks in /etc/httpd to etc_t
  - Allow rpmdb rw access to inherited console, ttys, and ptys
  - Allow dnsmasq read public files
  - Announce merging of selinux-policy and selinux-policy-contrib
  - Label /etc/resolv.conf as net_conf_t only if it is a plain file
  - Fix range for unreserved ports
  - Add files_search_non_security_dirs() interface
  - Introduce logging_syslogd_append_public_content tunable
  - Add miscfiles_append_public_files() interface
* Fri Nov 13 2020 Zdenek Pytela <> - 3.14.7-8
  - Set correct default file context for /usr/libexec/pcp/lib/*
  - Introduce rpmdb_t type
  - Allow slapd manage files/dirs in ldap certificates directory
  - Revert "Allow certmonger add new entries in a generic certificates directory"
  - Allow certmonger add new entries in a generic certificates directory
  - Allow slapd add new entries in ldap certificates directory
  - Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
  - Let keepalived bind a raw socket
  - Add default file context for /usr/libexec/pcp/lib/*
  - squid: Allow net_raw capability when squid_use_tproxy is enabled
  - systemd: allow networkd to check namespaces
  - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
  - Allow resolved to created varlink sockets and the domain to talk to it
  - selinux: tweak selinux_get_enforce_mode() to allow status page to be used
  - systemd: allow all systemd services to check selinux status
  - Set default file context for /var/lib/ipsec/nss
  - Allow user domains transition to rpmdb_t
  - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
  - Revert "Add miscfiles_create_generic_cert_dirs() interface"
  - Update miscfiles_manage_all_certs() to include managing directories
  - Add miscfiles_create_generic_cert_dirs() interface
  - Add miscfiles_add_entry_generic_cert_dirs() interface
  - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
* Tue Nov 03 2020 Petr Lautrbach <> - 3.14.7-7
  - Rebuild with latest libsepol
  - Bump policy version to 33
* Thu Oct 22 2020 Zdenek Pytela <> - 3.14.7-6
  - rpc.fc: Include /etc/exports.d dir & files
  - Create chronyd_pid_filetrans() interface
  - Change invalid type redisd_t to redis_t in redis_stream_connect()
  - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
  - Allow init dbus chat with kernel
  - Allow initrc_t create /run/chronyd-dhcp directory with a transition
  - Drop gcc from dependencies in Travis CI
  - Use "==" for comparing integers.
  - re-implement fc_sort in python
  - Remove invalid file context line
  - Drop git from dependencies in Travis CI
* Tue Oct 06 2020 Zdenek Pytela <> - 3.14.7-5
  - Remove empty line from rshd.fc
  - Allow systemd-logind read swap files
  - Add fstools_read_swap_files() interface
  - Allow dyntransition from sshd_t to unconfined_t
  - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
* Fri Sep 25 2020 Zdenek Pytela <> - 3.14.7-4
  - Allow chronyd_t to accept and make NTS-KE connections
  - Allow domain write to an automount unnamed pipe
  - Label /var/run/zincati/public/motd.d/* as motd_var_run_t
  - Allow login programs to (only) read MOTD files and symlinks
  - Relabel /usr/sbin/charon-systemd as ipsec_exec_t
  - Confine systemd-sleep service
  - Add fstools_rw_swap_files() interface
  - Label 4460/tcp port as ntske_port_t
  - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
* Mon Sep 21 2020 Zdenek Pytela <> - 3.14.7-3
  - Check out the right -contrib branch in Travis
* Fri Sep 18 2020 Zdenek Pytela <> - 3.14.7-2
  - Allow openvswitch fowner capability and create netlink sockets
  - Allow additional permissions for gnome-initial-setup
  - Add to map non_security_files to the userdom_admin_user_template template
  - kernel/filesystem: Add exfat support (no extended attributes)
* Tue Sep 08 2020 Zdenek Pytela <> - 3.14.7-1
  - Bump version as Fedora 33 has been branched
  - Allow php-fpm write access to /var/run/redis/redis.sock
  - Allow journalctl to read and write to inherited user domain tty
  - Update rkt policy to allow rkt_t domain to read sysfs filesystem
  - Allow arpwatch create and use rdma socket
  - Allow plymouth sys_chroot capability
  - Allow gnome-initial-setup execute in a xdm sandbox
  - Add new devices and filesystem interfaces
* Mon Aug 24 2020 Zdenek Pytela <> - 3.14.6-25
  - Allow certmonger fowner capability
  - The nfsdcld service is now confined by SELinux
  - Change transitions for ~/.config/Yubico
  - Allow all users to connect to systemd-userdbd with a unix socket
  - Add file context for ~/.config/Yubico
  - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
  - Allow login_pgm attribute to get attributes in proc_t
  - Allow passwd to get attributes in proc_t
  - Revert "Allow passwd to get attributes in proc_t"
  - Revert "Allow login_pgm attribute to get attributes in proc_t"
  - Allow login_pgm attribute to get attributes in proc_t
  - Allow passwd to get attributes in proc_t
  - Allow traceroute_t and ping_t to bind generic nodes.
  - Create macro corenet_icmp_bind_generic_node()
  - Allow unconfined_t to node_bind icmp_sockets in node_t domain
* Thu Aug 13 2020 Zdenek Pytela <> - 3.14.6-24
  - Add ipa_helper_noatsecure() interface unconditionally
  - Conditionally allow nagios_plugin_domain dbus chat with init
  - Revert "Update allow rules set for nrpe_t domain"
  - Add ipa_helper_noatsecure() interface to ipa.if
  - Label /usr/libexec/qemu-pr-helper with virtd_exec_t
  - Allow kadmind manage kerberos host rcache
  - Allow nsswitch_domain to connect to systemd-machined using a unix socket
  - Define named file transition for sshd on /tmp/krb5_0.rcache2
  - Allow systemd-machined create userdbd runtime sock files
  - Disable kdbus module before updating
* Mon Aug 03 2020 Zdenek Pytela <> - 3.14.6-23
  - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
  - Revert "Add interface to allow types to associate with cgroup filesystems"
  - Revert "kdbusfs should not be accessible for now."
  - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
  - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
  - Remove the legacy kdbus module
  - Remove "kdbus = module" from modules-targeted-base.conf
* Thu Jul 30 2020 Zdenek Pytela <> - 3.14.6-22
  - Allow virtlockd only getattr and lock block devices
  - Allow qemu-ga read all non security file types conditionally
  - Allow virtlockd manage VMs posix file locks
  - Allow smbd get attributes of device files labeled samba_share_t
  - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
  - Add a new httpd_can_manage_courier_spool boolean
  - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files
  - Revert "Allow qemu-kvm read and write /dev/mapper/control"
  - Revert "Allow qemu read and write /dev/mapper/control"
  - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
  - Dontaudit pcscd_t setting its process scheduling
  - Dontaudit thumb_t setting its process scheduling
  - Allow munin domain transition with NoNewPrivileges
  - Add dev_lock_all_blk_files() interface
  - Allow auditd manage kerberos host rcache files
  - Allow systemd-logind dbus chat with fwupd
* Wed Jul 29 2020 Fedora Release Engineering <> - 3.14.6-21
  - Rebuilt for
* Mon Jul 13 2020 Lukas Vrabec <> - 3.14.6-20
  - Align gen_tunable() syntax with sepolgen
* Fri Jul 10 2020 Zdenek Pytela <> - 3.14.6-19
  - Additional support for keepalived running in a namespace
  - Remove systemd_dbus_chat_resolved(pcp_pmie_t)
  - virt: remove the libvirt qmf rules
  - Allow certmonger manage dirsrv services
  - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
  - Allow domain dbus chat with systemd-resolved
  - Define file context for /var/run/netns directory only
  - Revert "Add support for fuse.glusterfs"
* Tue Jul 07 2020 Zdenek Pytela <> - 3.14.6-18
  - Allow oddjob_t process noatsecure permission for ipa_helper_t
  - Allow keepalived manage its private type runtime directories
  - Update irqbalance runtime directory file context
  - Allow irqbalance file transition for pid sock_files and directories
  - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
  - Allow virtlogd_t manage virt lib files
  - Allow systemd set efivarfs files attributes
  - Support systemctl --user in machinectl
  - Allow chkpwd_t read and write systemd-machined devpts character nodes
  - Allow init_t write to inherited systemd-logind sessions pipes
* Fri Jun 26 2020 Zdenek Pytela <> - 3.14.6-17
  - Allow pdns server to read system state
  - Allow irqbalance nnp_transition
  - Fix description tag for the sssd_connect_all_unreserved_ports tunable
  - Allow journalctl process set its resource limits
  - Add sssd_access_kernel_keys tunable to conditionally access kernel keys
  - Make keepalived work with network namespaces
  - Create sssd_connect_all_unreserved_ports boolean
  - Allow hypervkvpd to request kernel to load a module
  - Allow systemd_private_tmp(dirsrv_tmp_t)
  - Allow microcode_ctl get attributes of sysfs directories
  - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
  - Allow radiusd connect to gssproxy over unix domain stream socket
  - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
  - Allow qemu read and write /dev/mapper/control
  - Allow tlp_t can_exec() tlp_exec_t
  - Dontaudit vpnc_t setting its process scheduling
  - Remove files_mmap_usr_files() call for particular domains
  - Allow dirsrv_t list cgroup directories
  - Crete the kerberos_write_kadmind_tmp_files() interface
  - Allow realmd_t dbus chat with accountsd_t
  - Label systemd-growfs and systemd-makefs       as fsadm_exec_t
  - Allow staff_u and user_u setattr generic usb devices
  - Allow sysadm_t dbus chat with accountsd
  - Modify kernel_rw_key() not to include append permission
  - Add kernel_rw_key() interface to access to kernel keyrings
  - Modify systemd_delete_private_tmp() to use delete_*_pattern macros
  - Allow systemd-modules to load kernel modules
  - Add cachefiles_dev_t as a typealias to cachefiles_device_t
  - Allow libkrb5 lib read client keytabs
  - Allow domain mmap usr_t files
  - Remove files_mmap_usr_files() call for systemd domains
  - Allow sshd write to kadmind temporary files
  - Do not audit staff_t and user_t attempts to manage boot_t entries
  - Add files_dontaudit_manage_boot_dirs() interface
  - Allow systemd-tty-ask-password-agent read efivarfs files
* Thu Jun 25 2020 Adam Williamson <> - 3.14.6-16
  - Fix scriptlets when /etc/selinux/config does not exist
* Thu Jun 04 2020 Zdenek Pytela <> - 3.14.6-15
  - Add fetchmail_uidl_cache_t type for /var/mail/
  - Support multiple ways of tlp invocation
  - Allow qemu-kvm read and write /dev/mapper/control
  - Introduce logrotate_use_cifs boolean
  - Allow ptp4l_t sys_admin capability to run bpf programs
  - Allow to getattr files on an nsfs filesystem
  - httpd: Allow NoNewPriv transition from systemd
  - Allow rhsmd read process state of all domains and kernel threads
  - Allow rhsmd mmap /etc/passwd
  - Allow systemd-logind manage efivarfs files
  - Allow initrc_t tlp_filetrans_named_content()
  - Allow systemd_resolved_t to read efivarfs
  - Allow systemd_modules_load_t to read efivarfs
  - Introduce systemd_read_efivarfs_type attribute
  - Allow named transition for /run/tlp from a user shell
  - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
  - Add file context for /sys/kernel/tracing
* Tue May 19 2020 Zdenek Pytela <> - 3.14.6-14
  - Allow chronyc_t domain to use nsswitch
  - Allow nscd_socket_use() for domains in nscd_use() unconditionally
  - Add allow rules for lttng-sessiond domain
  - Label dirsrv systemd unit files and add dirsrv_systemctl()
  - Allow gluster geo-replication in rsync mode
  - Allow nagios_plugin_domain execute programs in bin directories
  - Allow sys_admin capability for domain labeled systemd_bootchart_t
  - Split the arping path regexp to 2 lines to prevent from relabeling
  - Allow tcpdump sniffing offloaded (RDMA) traffic
  - Revert "Change arping path regexp to work around fixfiles incorrect handling"
  - Change arping path regexp to work around fixfiles incorrect handling
  - Allow read efivarfs_t files by domains executing systemctl file
* Wed Apr 29 2020 Zdenek Pytela <> - 3.14.6-13
  - Update networkmanager_read_pid_files() to allow also list_dir_perms
  - Update policy for NetworkManager_ssh_t
  - Allow glusterd synchronize between master and slave
  - Allow spamc_t domain to read network state
  - Allow strongswan use tun/tap devices and keys
  - Allow systemd_userdbd_t domain logging to journal
* Tue Apr 14 2020 Zdenek Pytela <> - 3.14.6-12
  - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
  - Allow ssh-keygen create file in /var/lib/glusterd
  - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
  - Merge ipa and ipa_custodia modules
  - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
  - Introduce daemons_dontaudit_scheduling boolean
  - Modify path for arping in netutils.fc to match both bin and sbin
  - Change file context for /var/run/pam_ssh to match file transition
  - Add file context entry and file transition for /var/run/pam_timestamp
* Tue Mar 31 2020 Zdenek Pytela <> - 3.14.6-11
  - Allow NetworkManager manage dhcpd unit files
  - Update ninfod policy to add nnp transition from systemd to ninfod
  - Remove container interface calling by named_filetrans_domain.
* Wed Mar 25 2020 Zdenek Pytela <> - 3.14.6-10
  - Allow openfortivpn exec shell
  - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
  - Add ibacm_t ipc_lock capability
  - Allow ipsec_t connectto ipsec_mgmt_t
  - Remove ipa_custodia
  - Allow systemd-journald to read user_tmp_t symlinks
* Wed Mar 18 2020 Zdenek Pytela <> - 3.14.6-9
  - Allow zabbix_t manage and filetrans temporary socket files
  - Makefile: fix tmp/%.mod.fc target
* Fri Mar 13 2020 Zdenek Pytela <> - 3.14.6-8
  - Allow NetworkManager read its unit files and manage services
  - Add init_daemon_domain() for geoclue_t
  - Allow to use nnp_transition in pulseaudio_role
  - Allow pdns_t domain to map files in /usr.
  - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
  - Allow login_pgm create and bind on netlink_selinux_socket
* Mon Mar 09 2020 Zdenek Pytela <> - 3.14.6-7
  - Allow sssd read systemd-resolved runtime directory
  - Allow sssd read NetworkManager's runtime directory
  - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
  - Allow system_mail_t to signull pcscd_t
  - Create interface pcscd_signull
  - Allow auditd poweroff or switch to single mode
* Fri Feb 28 2020 Lukas Vrabec <> - 3.14.6-6
  - Allow postfix stream connect to cyrus through runtime socket
  - Dontaudit daemons to set and get scheduling policy/parameters
* Sat Feb 22 2020 Lukas Vrabec <> - 3.14.6-5
  - Allow certmonger_t domain to read pkcs_slotd lock files
  - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
  - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
  - Make file context more variable for /usr/bin/fusermount and /bin/fusermount
  - Allow local_login_t domain to getattr cgroup filesystem
  - Allow systemd_logind_t domain to manage user_tmp_t char and block devices
* Tue Feb 18 2020 Lukas Vrabec <> - 3.14.6-4
  - Update virt_read_qemu_pid_files inteface
  - Allow systemd_logind_t domain to getattr cgroup filesystem
  - Allow systemd_logind_t domain to manage user_tmp_t char and block devices
  - Allow nsswitch_domain attribute to stream connect to systemd process
* Sun Feb 16 2020 Lukas Vrabec <> - 3.14.6-3
  - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
  - Allow systemd_userdbd_t domain to read efivarfs files
* Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-2
  - Allow vhostmd communication with hosted virtual machines
  - Add and update virt interfaces
  - Update radiusd policy
  - Allow systemd_private_tmp(named_tmp_t)
  - Allow bacula dac_override capability
  - Allow systemd_networkd_t to read efivarfs
  - Add support for systemd-userdbd
  - Allow systemd system services read efivarfs files
* Sat Feb 15 2020 Lukas Vrabec  <> - 3.14.6-1
  - Bump version to 3.14.6 because fedora 32 was branched
* Fri Feb 07 2020 Zdenek Pytela <> - 3.14.5-24
  - Allow ptp4l_t create and use packet_socket sockets
  - Allow ipa_custodia_t create and use netlink_route_socket sockets.
  - Allow networkmanager_t transition to setfiles_t
  - Create init_create_dirs boolean to allow init create directories
* Fri Jan 31 2020 Zdenek Pytela <> - 3.14.5-23
  - Allow thumb_t connect to system_dbusd_t BZ(1795044)
  - Allow saslauthd_t filetrans variable files for /tmp directory
  - Added apache create log dirs macro
  - Tiny documentation fix
  - Allow openfortivpn_t to manage net_conf_t files.
  - Introduce boolean openfortivpn_can_network_connect.
  - Dontaudit domain chronyd_t to list in user home dirs.
  - Allow init_t to create apache log dirs.
  - Add file transition for /dev/nvidia-uvm BZ(1770588)
  - Allow syslog_t to read efivarfs_t files
  - Add ioctl to term_dontaudit_use_ptmx macro
  - Update xserver_rw_session macro
* Thu Jan 30 2020 Fedora Release Engineering <> - 3.14.5-22
  - Rebuilt for
* Fri Jan 24 2020 Zdenek Pytela <> - 3.14.5-21
  - Dontaudit timedatex_t read file_contexts_t and validate security contexts
  - Make stratisd_t domain unconfined for now.
  - stratisd_t policy updates.
  - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
  - Label /stratis as stratisd_data_t
  - Allow opafm_t to create and use netlink rdma sockets.
  - Allow stratisd_t domain to read/write fixed disk devices and removable devices.
  - Added macro for stratisd to chat over dbus
  - Add dac_override capability to stratisd_t domain
  - Allow init_t set the nice level of all domains BZ(1778088)
  - Allow userdomain to chat with stratisd over dbus.
* Mon Jan 13 2020 Lukas Vrabec <> - 3.14.5-20
  - Fix typo in anaconda SELinux module
  - Allow rtkit_t domain  to control scheduling for your install_t processes
  - Boolean: rngd_t to use executable memory
  - Allow rngd_t domain to use nsswitch BZ(1787661)
  - Allow exim to execute bin_t without domain trans
  - Allow create udp sockets for abrt_upload_watch_t domains
  - Drop label zebra_t for frr binaries
  - Allow NetworkManager_t domain to get status of samba services
  - Update milter policy to allow use sendmail
  - Modify file context for .local directory to match exactly BZ(1637401)
  - Allow init_t domain to create own socket files in /tmp
  - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
  - Create files_create_non_security_dirs() interface
* Fri Dec 20 2019 Zdenek Pytela <> - 3.14.5-19
  - Allow init_t nnp domain transition to kmod_t
  - Allow userdomain dbus chat with systemd_resolved_t
  - Allow init_t read and setattr on /var/lib/fprintd
  - Allow sysadm_t dbus chat with colord_t
  - Allow confined users run fwupdmgr
  - Allow confined users run machinectl
  - Allow systemd labeled as init_t domain to create dirs labeled as var_t
  - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
  - Add new file context rabbitmq_conf_t.
  - Allow journalctl read init state BZ(1731753)
  - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
  - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
  - Change type in transition for /var/cache/{dnf,yum} directory
  - Allow cockpit_ws_t read efivarfs_t BZ(1777085)
  - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
  - Allow named_t domain to mmap named_zone_t files BZ(1647493)
  - Make boinc_var_lib_t label system mountdir attribute
  - Allow stratis_t domain to request load modules
  - Update fail2ban policy
  - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
  - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
  - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
* Thu Nov 28 2019 Lukas Vrabec <> - 3.14.5-18
  - Allow systemd to read all proc
  - Introduce new type pdns_var_lib_t
  - Allow zebra_t domain to read files labled as nsfs_t.
  - Allow systemd to setattr on all device_nodes
  - Allow systemd to mounton and list all proc types
* Wed Nov 27 2019 Lukas Vrabec <> - 3.14.5-17
  - Fix nonexisting types in rtas_errd_rw_lock interface
  - Allow snmpd_t domain to trace processes in user namespace
  - Allow timedatex_t domain to read relatime clock and adjtime_t files
  - Allow zebra_t domain to execute zebra binaries
  - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
  - Allow ksmtuned_t domain to trace processes in user namespace
  - Allow systemd to read symlinks in /var/lib
  - Update dev_mounton_all_device_nodes() interface
  - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
  - Allow systemd_domain to map files in /usr.
  - Allow strongswan start using swanctl method BZ(1773381)
  - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
* Thu Nov 21 2019 Zdenek Pytela <> - 3.14.5-16
  - Allow timedatex_t domain dbus chat with both confined and unconfined users
  - Allow timedatex_t domain dbus chat with unconfined users
  - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
  - Make unconfined domains part of domain_named_attribute
  - Label tcp ports 24816,24817 as pulp_port_t
  - Remove duplicate entries for initrc_t in init.te
* Thu Nov 14 2019 Lukas Vrabec <> - 3.14.5-15
  - Increase SELinux userspace version which should be required.
* Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-14
  - Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
* Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-13
  - Fix typo bugs in rtas_errd_read_lock() interface
  - cockpit: Drop cockpit-cert-session
  - Allow timedatex_t domain to systemctl chronyd domains
  - Allow ipa_helper_t to read kr5_keytab_t files
  - cockpit: Allow cockpit-session to read cockpit-tls state directory
  - Allow stratisd_t domain to read nvme and fixed disk devices
  - Update lldpad_t policy module
  - Dontaudit tmpreaper_t getting attributes from sysctl_type files
  - cockpit: Support https instance factory
  - Added macro for timedatex to chat over dbus.
  - Fix typo in dev_filetrans_all_named_dev()
  - Update files_manage_etc_runtime_files() interface to allow manage also dirs
  - Fix typo in cachefiles device
  - Dontaudit sys_admin capability for auditd_t domains
  - Allow x_userdomain to read adjtime_t files
  - Allow users using template userdom_unpriv_user_template() to run bpf tool
  - Allow x_userdomain to dbus_chat with timedatex.
* Sun Nov 03 2019 Lukas Vrabec <> - 3.14.5-12
  - Label /var/cache/nginx as httpd_cache_t
  - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
  - Created dnsmasq_use_ipset boolean
  - Allow capability dac_override in logwatch_mail_t domain
  - Allow automount_t domain to execute ping in own SELinux domain (ping_t)
  - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
  - Allow collectd_t domain to create netlink_generic_socket sockets
  - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
  - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
  - Label /etc/postfix/chroot-update as postfix_exec_t
  - Update tmpreaper_t policy due to fuser command
  - Allow kdump_t domain to create netlink_route and udp sockets
  - Allow stratisd to connect to dbus
  - Allow fail2ban_t domain to create netlink netfilter sockets.
  - Allow dovecot get filesystem quotas
  - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
  - Allow systemd-tmpfiles processes to set rlimit information
  - Allow cephfs to use xattrs for storing contexts
  - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
* Fri Oct 25 2019 Lukas Vrabec <> - 3.14.5-11
  - Allow confined users to run newaliases
  - Add interface mysql_dontaudit_rw_db()
  - Label /var/lib/xfsdump/inventory as amanda_var_lib_t
  - Allow tmpreaper_t domain to read all domains state
  - Make httpd_var_lib_t label system mountdir attribute
  - Update cockpit policy
  - Update timedatex policy to add macros, more detail below
  - Allow nagios_script_t domain list files labled sysfs_t.
  - Allow jetty_t domain search and read cgroup_t files.
  - Donaudit ifconfig_t domain to read/write mysqld_db_t files
  - Dontaudit domains read/write leaked pipes
* Tue Oct 22 2019 Lukas Vrabec <> - 3.14.5-10
  - Update timedatex policy to add macros, more detail below
  - Allow nagios_script_t domain list files labled sysfs_t.
  - Allow jetty_t domain search and read cgroup_t files.
  - Allow Gluster mount client to mount files_type
  - Dontaudit and disallow sys_admin capability for keepalived_t domain
  - Update numad policy to allow signull, kill, nice and trace processes
  - Allow ipmievd_t to RW watchdog devices
  - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
  - Allow user domains to manage user session services
  - Allow staff and user users to get status of user systemd session
  - Update sudo_role_template() to allow caller domain to read syslog pid files
* Fri Oct 11 2019 Lukas Vrabec <> - 3.14.5-9
  - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
* Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-8
  - Update apache and pkcs policies to make active opencryptoki rules
  - Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
* Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-7
  - Revert "nova.fc: fix duplicated slash"
  - Introduce new bolean httpd_use_opencryptoki
  - Add new interface apache_read_state()
  - Allow setroubleshoot_fixit_t to read random_device_t
  - Label /etc/named direcotory as named_conf_t BZ(1759495)
  - nova.fc: fix duplicated slash
  - Allow dkim to execute sendmail
  - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
  - Update aide_t domain to allow this tool to analyze also /dev filesystem
  - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
  - Allow avahi_t to send msg to xdm_t
  - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
  - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
  - Allow systemd_logind_t domain to read blk_files in domain removable_device_t
  - Add new interface udev_getattr_rules_chr_files()
* Fri Oct 04 2019 Lukas Vrabec <> - 3.14.5-6
  - Update aide_t domain to allow this tool to analyze also /dev filesystem
  - Allow bitlbee_t domain map files in /usr
  - Allow stratisd to getattr of fixed disk device nodes
  - Add net_broadcast capability to openvswitch_t domain BZ(1716044)
  - Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
  - Allow cobblerd_t domain search apache configuration dirs
  - Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
  - Label /var/log/collectd.log as collectd_log_t
  - Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
  - Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
  - networkmanager: allow NetworkManager_t to create bluetooth_socket
  - Fix ipa_custodia_stream_connect interface
  - Add new interface udev_getattr_rules_chr_files()
  - Make dbus-broker service working on s390x arch
  - Add new interface dev_mounton_all_device_nodes()
  - Add new interface dev_create_all_files()
  - Allow systemd(init_t) to load kernel modules
  - Allow ldconfig_t domain to manage initrc_tmp_t objects
  - Add new interface init_write_initrc_tmp_pipes()
  - Add new interface init_manage_script_tmp_files()
  - Allow xdm_t setpcap capability in user namespace BZ(1756790)
  - Allow x_userdomain to mmap generic SSL certificates
  - Allow xdm_t domain to user netlink_route sockets BZ(1756791)
  - Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
  - Allow sudo userdomain to run rpm related commands
  - Add sys_admin capability for ipsec_t domain
  - Allow systemd_modules_load_t domain to read systemd pid files
  - Add new interface init_read_pid_files()
  - Allow systemd labeled as init_t domain to manage faillog_t objects
  - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
  - Make ipa_custodia policy active
* Fri Sep 20 2019 Lukas Vrabec <> - 3.14.5-5
  - Fix ipa_custodia_stream_connect interface
  - Allow systemd_modules_load_t domain to read systemd pid files
  - Add new interface init_read_pid_files()
  - Allow systemd labeled as init_t domain to manage faillog_t objects
  - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
* Fri Sep 20 2019 Lukas Vrabec <> - 3.14.5-4
  - Run ipa-custodia as ipa_custodia_t
  - Update webalizer_t SELinux policy
  - Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
  - Allow rhsmcertd_t domain to read rtas_errd lock files
  - Add new interface rtas_errd_read_lock()
  - Update allow rules set for nrpe_t domain
  - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
  - Allow avahi_t to send msg to lpr_t
  - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
  - Allow dlm_controld_t domain to read random device
  - Label libvirt drivers as virtd_exec_t
  - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
  - Allow gssproxy_t domain read state of all processes on system
  - Add new macro systemd_timedated_status to systemd.if to get timedated service status
  - Introduce xdm_manage_bootloader booelan
  - Revert "Unconfined domains, need to create content with the correct labels"
  - Allow xdm_t domain to read sssd pid files BZ(1753240)
  - Move open, audit_access, and execmod to common file perms


/usr/share/selinux/devel/html/Fedora release 34 (Thirty Four).html

Generated by rpm2html 1.8.1

Fabrice Bellet, Mon Sep 20 23:22:47 2021