Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: selinux-policy-devel | Distribution: Fedora Project |
Version: 37.12 | Vendor: Fedora Project |
Release: 2.fc37 | Build date: Fri Sep 23 17:34:44 2022 |
Group: Unspecified | Build host: buildvm-x86-16.iad2.fedoraproject.org |
Size: 14320618 | Source RPM: selinux-policy-37.12-2.fc37.src.rpm |
Packager: Fedora Project | |
Url: https://github.com/fedora-selinux/selinux-policy | |
Summary: SELinux policy development files |
SELinux policy development package. This package contains: - interfaces, macros, and patterns for policy development - a policy example - the macro-expander utility and some additional files.
GPLv2+
* Fri Sep 23 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-2 - Update make-rhat-patches.sh file to use the f37 dist-git branch in F37 * Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1 - nut-upsd: kernel_read_system_state, fs_getattr_cgroup - Add numad the ipc_owner capability - Allow gst-plugin-scanner read virtual memory sysctls - Allow init read/write inherited user fifo files - Update dnssec-trigger policy: setsched, module_request - added policy for systemd-socket-proxyd - Add the new 'cmd' permission to the 'io_uring' class - Allow winbind-rpcd read and write its key ring - Label /run/NetworkManager/no-stub-resolv.conf net_conf_t - blueman-mechanism can read ~/.local/lib/python*/site-packages directory - pidof executed by abrt can readlink /proc/*/exe - Fix typo in comment - Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum * Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1 - Allow tor get filesystem attributes - Allow utempter append to login_userdomain stream - Allow login_userdomain accept a stream connection to XDM - Allow login_userdomain write to boltd named pipes - Allow staff_u and user_u users write to bolt pipe - Allow login_userdomain watch various directories - Update rhcd policy for executing additional commands 5 - Update rhcd policy for executing additional commands 4 - Allow rhcd create rpm hawkey logs with correct label - Allow systemd-gpt-auto-generator to check for empty dirs - Update rhcd policy for executing additional commands 3 - Allow journalctl read rhcd fifo files - Update insights-client policy for additional commands execution 5 - Allow init remount all file_type filesystems - Confine insights-client systemd unit - Update insights-client policy for additional commands execution 4 - Allow pcp pmcd search tracefs and acct_data dirs - Allow httpd read network sysctls - Dontaudit domain map permission on directories - Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" - Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" - Update insights-client policy for additional commands execution 3 - Allow systemd permissions needed for sandboxed services - Add rhcd module - Make dependency on rpm-plugin-selinux unordered * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1 - Allow ipsec_t read/write tpm devices - Allow rhcd execute all executables - Update rhcd policy for executing additional commands 2 - Update insights-client policy for additional commands execution 2 - Allow sysadm_t read raw memory devices - Allow chronyd send and receive chronyd/ntp client packets - Allow ssh client read kerberos homedir config files - Label /var/log/rhc-worker-playbook with rhcd_var_log_t - Update insights-client policy (auditctl, gpg, journal) - Allow system_cronjob_t domtrans to rpm_script_t - Allow smbd_t process noatsecure permission for winbind_rpcd_t - Update tor_bind_all_unreserved_ports interface - Allow chronyd bind UDP sockets to ptp_event ports. - Allow unconfined and sysadm users transition for /root/.gnupg - Add gpg_filetrans_admin_home_content() interface - Update rhcd policy for executing additional commands - Update insights-client policy for additional commands execution - Add userdom_view_all_users_keys() interface - Allow gpg read and write generic pty type - Allow chronyc read and write generic pty type - Allow system_dbusd ioctl kernel with a unix stream sockets - Allow samba-bgqd to read a printer list - Allow stalld get and set scheduling policy of all domains. - Allow unconfined_t transition to targetclid_home_t * Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1 - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher sendmail plugin get status of systemd services - Allow xdm read the kernel key ring - Allow login_userdomain check status of mount units - Allow postfix/smtp and postfix/virtual read kerberos key table - Allow services execute systemd-notify - Do not allow login_userdomain use sd_notify() - Allow launch-xenstored read filesystem sysctls - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd - Allow openvswitch fsetid capability - Allow openvswitch use its private tmpfs files and dirs - Allow openvswitch search tracefs dirs - Allow pmdalinux read files on an nfsd filesystem - Allow winbind-rpcd write to winbind pid files - Allow networkmanager to signal unconfined process - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t - Allow samba-bgqd get a printer list - fix(init.fc): Fix section description - Allow fedora-third-party read the passwords file - Remove permissive domain for rhcd_t - Allow pmie read network state information and network sysctls - Revert "Dontaudit domain the fowner capability" - Allow sysadm_t to run bpftool on the userdomain attribute - Add the userdom_prog_run_bpf_userdomain() interface - Allow insights-client rpm named file transitions - Add /var/tmp/insights-archive to insights_client_filetrans_named_content * Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1 - Allow sa-update to get init status and start systemd files - Use insights_client_filetrans_named_content - Make default file context match with named transitions - Allow nm-dispatcher tlp plugin send system log messages - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket - Add permissions to manage lnk_files into gnome_manage_home_config - Allow rhsmcertd to read insights config files - Label /etc/insights-client/machine-id - fix(devices.fc): Replace single quote in comment to solve parsing issues - Make NetworkManager_dispatcher_custom_t an unconfined domain * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1 - Update winbind_rpcd_t - Allow some domains use sd_notify() - Revert "Allow rabbitmq to use systemd notify" - fix(sedoctool.py): Fix syntax warning: "is not" with a literal - Allow nm-dispatcher console plugin manage etc files - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs - Allow nm-dispatcher console plugin setfscreate - Support using systemd-update-helper in rpm scriptlets - Allow nm-dispatcher winbind plugin read samba config files - Allow domain use userfaultfd over all domains - Allow cups-lpd read network sysctls * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1 - Allow stalld set scheduling policy of kernel threads - Allow targetclid read /var/target files - Allow targetclid read generic SSL certificates (fixed) - Allow firewalld read the contents of the sysfs filesystem - Fix file context pattern for /var/target - Use insights_client_etc_t in insights_search_config() - Allow nm-dispatcher ddclient plugin handle systemd services - Allow nm-dispatcher winbind plugin run smbcontrol - Allow nm-dispatcher custom plugin create and use unix dgram socket - Update samba-dcerpcd policy for kerberos usage 2 - Allow keepalived read the contents of the sysfs filesystem - Allow amandad read network sysctls - Allow cups-lpd read network sysctls - Allow kpropd read network sysctls - Update insights_client_filetrans_named_content() - Allow rabbitmq to use systemd notify - Label /var/target with targetd_var_t - Allow targetclid read generic SSL certificates - Update rhcd policy - Allow rhcd search insights configuration directories - Add the kernel_read_proc_files() interface - Require policycoreutils >= 3.4-1 - Add a script for enclosing interfaces in ifndef statements - Disable rpm verification on interface_info * Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1 - Allow transition to insights_client named content - Add the insights_client_filetrans_named_content() interface - Update policy for insights-client to run additional commands 3 - Allow dhclient manage pid files used by chronyd - Allow stalld get scheduling policy of kernel threads - Allow samba-dcerpcd work with sssd - Allow dlm_controld send a null signal to a cluster daemon - Allow ksmctl create hardware state information files - Allow winbind_rpcd_t connect to self over a unix_stream_socket - Update samba-dcerpcd policy for kerberos usage - Allow insights-client execute its private memfd: objects - Update policy for insights-client to run additional commands 2 - Use insights_client_tmp_t instead of insights_client_var_tmp_t - Change space indentation to tab in insights-client - Use socket permissions sets in insights-client - Update policy for insights-client to run additional commands - Change rpm_setattr_db_files() to use a pattern - Allow init_t to rw insights_client unnamed pipe - Add rpm setattr db files macro - Fix insights client - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling - Allow rabbitmq to access its private memfd: objects - Update policy for samba-dcerpcd - Allow stalld setsched and sys_nice * Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1 - Allow auditd_t noatsecure for a transition to audisp_remote_t - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket - Allow pcp_domain execute its private memfd: objects - Add support for samba-dcerpcd - Add policy for wireguard - Confine targetcli - Allow systemd work with install_t unix stream sockets - Allow iscsid the sys_ptrace userns capability - Allow xdm connect to unconfined_service_t over a unix stream socket * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1 - Allow nm-dispatcher custom plugin execute systemctl - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher custom plugin create and use udp socket - Allow nm-dispatcher custom plugin create and use netlink_route_socket - Use create_netlink_socket_perms in netlink_route_socket class permissions - Add support for nm-dispatcher sendmail scripts - Allow sslh net_admin capability - Allow insights-client manage gpg admin home content - Add the gpg_manage_admin_home_content() interface - Allow rhsmcertd create generic log files - Update logging_create_generic_logs() to use create_files_pattern() - Label /var/cache/insights with insights_client_cache_t - Allow insights-client search gconf homedir - Allow insights-client create and use unix_dgram_socket - Allow blueman execute its private memfd: files - Move the chown call into make-srpm.sh * Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1 - Use the networkmanager_dispatcher_plugin attribute in allow rules - Make a custom nm-dispatcher plugin transition - Label port 4784/tcp and 4784/udp with bfd_multi - Allow systemd watch and watch_reads user ptys - Allow sblim-gatherd the kill capability - Label more vdsm utils with virtd_exec_t - Add ksm service to ksmtuned - Add rhcd policy - Dontaudit guest attempts to dbus chat with systemd domains - Dontaudit guest attempts to dbus chat with system bus types - Use a named transition in systemd_hwdb_manage_config() - Add default fc specifications for patterns in /opt - Add the files_create_etc_files() interface - Allow nm-dispatcher console plugin create and write files in /etc - Allow nm-dispatcher console plugin transition to the setfiles domain - Allow more nm-dispatcher plugins append to init stream sockets - Allow nm-dispatcher tlp plugin dbus chat with nm - Reorder networkmanager_dispatcher_plugin_template() calls - Allow svirt connectto virtlogd - Allow blueman map its private memfd: files - Allow sysadm user execute init scripts with a transition - Allow sblim-sfcbd connect to sblim-reposd stream - Allow keepalived_unconfined_script_t dbus chat with init - Run restorecon with "-i" not to report errors * Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1 - Fix users for SELinux userspace 3.4 - Label /var/run/machine-id as machineid_t - Add stalld to modules.conf - Use files_tmpfs_file() for rhsmcertd_tmpfs_t - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets * Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1 - Allow nm-dispatcher chronyc plugin append to init stream sockets - Allow tmpreaper the sys_ptrace userns capability - Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t - Allow nm-dispatcher tlp plugin read/write the wireless device - Allow nm-dispatcher tlp plugin append to init socket - Allow nm-dispatcher tlp plugin be client of a system bus - Allow nm-dispatcher list its configuration directory - Ecryptfs-private support - Allow colord map /var/lib directories - Allow ntlm_auth read the network state information - Allow insights-client search rhnsd configuration directory * Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3 - Add support for nm-dispatcher tlp-rdw scripts - Update github actions to satisfy git 2.36 stricter rules - New policy for stalld - Allow colord read generic files in /var/lib - Allow xdm mounton user temporary socket files - Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket - Allow sssd domtrans to pkcs_slotd_t - Allow keepalived setsched and sys_nice - Allow xdm map generic files in /var/lib - Allow xdm read generic symbolic links in /var/lib - Allow pppd create a file in the locks directory - Add file map permission to lpd_manage_spool() interface - Allow system dbus daemon watch generic directories in /var/lib - Allow pcscd the sys_ptrace userns capability - Add the corecmd_watch_bin_dirs() interface * Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2 - Relabel explicitly some dirs in %posttrans scriptlets * Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1 - Add stalld module to modules-targeted-contrib.conf * Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1 - Add support for systemd-network-generator - Add the io_uring class - Allow nm-dispatcher dhclient plugin append to init stream sockets - Relax the naming pattern for systemd private shared libraries - Allow nm-dispatcher iscsid plugin append to init socket - Add the init_append_stream_sockets() interface - Allow nm-dispatcher dnssec-trigger script to execute pidof - Add support for nm-dispatcher dnssec-trigger scripts - Allow chronyd talk with unconfined user over unix domain dgram socket - Allow fenced read kerberos key tables - Add support for nm-dispatcher ddclient scripts - Add systemd_getattr_generic_unit_files() interface - Allow fprintd read and write hardware state information - Allow exim watch generic certificate directories - Remove duplicate fc entries for corosync and corosync-notifyd - Label corosync-cfgtool with cluster_exec_t - Allow qemu-kvm create and use netlink rdma sockets - Allow logrotate a domain transition to cluster administrative domain * Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1 - Add support for nm-dispatcher console helper scripts - Allow nm-dispatcher plugins read its directory and sysfs - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t - devices: Add a comment about cardmgr_dev_t - Add basic policy for BinderFS - Label /var/run/ecblp0 pipe with cupsd_var_run_t - Allow rpmdb create directory in /usr/lib/sysimage - Allow rngd drop privileges via setuid/setgid/setcap - Allow init watch and watch_reads user ttys - Allow systemd-logind dbus chat with sosreport - Allow chronyd send a message to sosreport over datagram socket - Remove unnecessary /etc file transitions for insights-client - Label all content in /var/lib/insights with insights_client_var_lib_t - Update insights-client policy * Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2 - Add insights_client module to modules-targeted-contrib.conf * Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1 - Update NetworkManager-dispatcher cloud and chronyc policy - Update insights-client: fc pattern, motd, writing to etc - Allow systemd-sysctl read the security state information - Allow init create and mounton to support PrivateDevices - Allow sosreport dbus chat abrt systemd timedatex * Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2 - Update specfile to buildrequire policycoreutils-devel >= 3.3-4 - Add modules_checksum to %files * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1 - Update NetworkManager-dispatcher policy to use scripts - Allow init mounton kernel messages device - Revert "Make dbus-broker service working on s390x arch" - Remove permissive domain for insights_client_t - Allow userdomain read symlinks in /var/lib - Allow iptables list cgroup directories - Dontaudit mdadm list dirsrv tmpfs dirs - Dontaudit dirsrv search filesystem sysctl directories - Allow chage domtrans to sssd - Allow postfix_domain read dovecot certificates - Allow systemd-networkd create and use netlink netfilter socket - Allow nm-dispatcher read nm-dispatcher-script symlinks - filesystem.te: add genfscon rule for ntfs3 filesystem - Allow rhsmcertd get attributes of cgroup filesystems - Allow sandbox_web_client_t watch various dirs - Exclude container.if from policy devel files - Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm * Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1 - Allow sysadm_passwd_t to relabel passwd and group files - Allow confined sysadmin to use tool vipw - Allow login_userdomain map /var/lib/directories - Allow login_userdomain watch library and fonts dirs - Allow login_userdomain watch system configuration dirs - Allow login_userdomain read systemd runtime files - Allow ctdb create cluster logs - Allow alsa bind mixer controls to led triggers - New policy for insight-client - Add mctp_socket security class and access vectors - Fix koji repo URL pattern - Update chronyd_pid_filetrans() to allow create dirs - Update NetworkManager-dispatcher policy - Allow unconfined to run virtd bpf - Allow nm-privhelper setsched permission and send system logs - Add the map permission to common_anon_inode_perm permission set - Rename userfaultfd_anon_inode_perms to common_inode_perms - Allow confined users to use kinit,klist and etc. - Allow rhsmcertd create rpm hawkey logs with correct label * Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1 - Label exFAT utilities at /usr/sbin - policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path - Enable genfs_seclabel_symlinks policy capability - Sync policy/policy_capabilities with refpolicy - refpolicy: drop unused socket security classes - Label new utility of NetworkManager nm-priv-helper - Label NetworkManager-dispatcher service with separate context - Allow sanlock get attributes of filesystems with extended attributes - Associate stratisd_data_t with device filesystem - Allow init read stratis data symlinks * Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1 - Allow systemd services watch dbusd pid directory and its parents - Allow ModemManager connect to the unconfined user domain - Label /dev/wwan.+ with modem_manager_t - Allow alsactl set group Process ID of a process - Allow domtrans to sssd_t and role access to sssd - Creating interface sssd_run_sssd() - Label utilities for exFAT filesystems with fsadm_exec_t - Label /dev/nvme-fabrics with fixed_disk_device_t - Allow init delete generic tmp named pipes - Allow timedatex dbus chat with xdm * Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1 - Fix badly indented used interfaces - Allow domain transition to sssd_t - Dontaudit sfcbd sys_ptrace cap_userns - Label /var/lib/plocate with locate_var_lib_t - Allow hostapd talk with unconfined user over unix domain dgram socket - Allow NetworkManager talk with unconfined user over unix domain dgram socket - Allow system_mail_t read inherited apache system content rw files - Add apache_read_inherited_sys_content_rw_files() interface - Allow rhsm-service execute its private memfd: objects - Allow dirsrv read configfs files and directories - Label /run/stratisd with stratisd_var_run_t - Allow tumblerd write to session_dbusd tmp socket files * Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1 - Revert "Label /etc/cockpit/ws-certs.d with cert_t" - Allow login_userdomain write to session_dbusd tmp socket files - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t * Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1 - Allow login_userdomain watch systemd-machined PID directories - Allow login_userdomain watch systemd-logind PID directories - Allow login_userdomain watch accountsd lib directories - Allow login_userdomain watch localization directories - Allow login_userdomain watch various files and dirs - Allow login_userdomain watch generic directories in /tmp - Allow rhsm-service read/write its private memfd: objects - Allow radiusd connect to the radacct port - Allow systemd-io-bridge ioctl rpm_script_t - Allow systemd-coredump userns capabilities and root mounton - Allow systemd-coredump read and write usermodehelper state - Allow login_userdomain create session_dbusd tmp socket files - Allow gkeyringd_domain write to session_dbusd tmp socket files - Allow systemd-logind delete session_dbusd tmp socket files - Allow gdm-x-session write to session dbus tmp sock files - Label /etc/cockpit/ws-certs.d with cert_t - Allow kpropd get attributes of cgroup filesystems - Allow administrative users the bpf capability - Allow sysadm_t start and stop transient services - Connect triggerin to pcre2 instead of pcre * Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1 - Allow sshd read filesystem sysctl files - Revert "Allow sshd read sysctl files" - Allow tlp read its systemd unit - Allow gssproxy access to various system files. - Allow gssproxy read, write, and map ica tmpfs files - Allow gssproxy read and write z90crypt device - Allow sssd_kcm read and write z90crypt device - Allow smbcontrol read the network state information - Allow virt_domain map vhost devices - Allow fcoemon request the kernel to load a module - Allow sshd read sysctl files - Ensure that `/run/systemd/*` are properly labeled - Allow admin userdomains use socketpair() - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling - Allow lldpd connect to snmpd with a unix domain stream socket - Dontaudit pkcsslotd sys_admin capability * Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1 - Allow haproxy get attributes of filesystems with extended attributes - Allow haproxy get attributes of cgroup filesystems - Allow sysadm execute sysadmctl in sysadm_t domain using sudo - Allow userdomains use pam_ssh_agent_auth for passwordless sudo - Allow sudodomains execute passwd in the passwd domain - Allow braille printing in selinux - Allow sandbox_xserver_t map sandbox_file_t - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t - Add hwtracing_device_t type for hardware-level tracing and debugging - Label port 9528/tcp with openqa_liveview - Label /var/lib/shorewall6-lite with shorewall_var_lib_t - Document Security Flask model in the policy * Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1 - Allow systemd read unlabeled symbolic links - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t - Allow dnsmasq watch /etc/dnsmasq.d directories - Allow rhsmcertd get attributes of tmpfs_t filesystems - Allow lldpd use an snmp subagent over a tcp socket - Allow xdm watch generic directories in /var/lib - Allow login_userdomain open/read/map system journal - Allow sysadm_t connect to cluster domains over a unix stream socket - Allow sysadm_t read/write pkcs shared memory segments - Allow sysadm_t connect to sanlock over a unix stream socket - Allow sysadm_t dbus chat with sssd - Allow sysadm_t set attributes on character device nodes - Allow sysadm_t read and write watchdog devices - Allow smbcontrol use additional socket types - Allow cloud-init dbus chat with systemd-logind - Allow svnserve send mail from the system - Update userdom_exec_user_tmp_files() with an entrypoint rule - Allow sudodomain send a null signal to sshd processes * Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1 - Allow PID 1 and dbus-broker IPC with a systemd user session - Allow rpmdb read generic SSL certificates - Allow rpmdb read admin home config files - Report warning on duplicate definition of interface - Allow redis get attributes of filesystems with extended attributes - Allow sysadm_t dbus chat with realmd_t - Make cupsd_lpd_t a daemon - Allow tlp dbus-chat with NetworkManager - filesystem: add fs_use_trans for ramfs - Allow systemd-logind destroy unconfined user's IPC objects * Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1 - Support sanlock VG automated recovery on storage access loss 2/2 - Support sanlock VG automated recovery on storage access loss 1/2 - Revert "Support sanlock VG automated recovery on storage access loss" - Allow tlp get service units status - Allow fedora-third-party manage 3rd party repos - Allow xdm_t nnp_transition to login_userdomain - Add the auth_read_passwd_file() interface - Allow redis-sentinel execute a notification script - Allow fetchmail search cgroup directories - Allow lvm_t to read/write devicekit disk semaphores - Allow devicekit_disk_t to use /dev/mapper/control - Allow devicekit_disk_t to get IPC info from the kernel - Allow devicekit_disk_t to read systemd-logind pid files - Allow devicekit_disk_t to mount filesystems on mnt_t directories - Allow devicekit_disk_t to manage mount_var_run_t files - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel - Use $releasever in koji repo to reduce rawhide hardcoding - authlogin: add fcontext for tcb - Add erofs as a SELinux capable file system - Allow systemd execute user bin files - Support sanlock VG automated recovery on storage access loss - Support new PING_CHECK health checker in keepalived * Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1 - Allow fedora-third-party map generic cache files - Add gnome_map_generic_cache_files() interface - Add files_manage_var_lib_dirs() interface - Allow fedora-third party manage gpg keys - Allow fedora-third-party run "flatpak remote-add --from flathub" * Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1 - Allow fedora-third-party run flatpak post-install actions - Allow fedora-third-party set_setsched and sys_nice * Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1 - Allow fedora-third-party execute "flatpak remote-add" - Add files_manage_var_lib_files() interface - Add write permisson to userfaultfd_anon_inode_perms - Allow proper function sosreport via iotop - Allow proper function sosreport in sysadmin role - Allow fedora-third-party to connect to the system log service - Allow fedora-third-party dbus chat with policykit - Allow chrony-wait service start with DynamicUser=yes - Allow management of lnk_files if similar access to regular files - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges - Allow systemd-resolved watch /run/systemd - Allow fedora-third-party create and use unix_dgram_socket - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain * Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1 - Add fedoratp module - Allow xdm_t domain transition to fedoratp_t - Allow ModemManager create and use netlink route socket - Add default file context for /run/gssproxy.default.sock - Allow xdm_t watch fonts directories - Allow xdm_t watch generic directories in /lib - Allow xdm_t watch generic pid directories * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1 - Add bluetooth-related permissions into a tunable block - Allow gnome at-spi processes create and use stream sockets - Allow usbmuxd get attributes of tmpfs_t filesystems - Allow fprintd install a sleep delay inhibitor - Allow collectd get attributes of infiniband devices - Allow collectd create and user netlink rdma socket - Allow collectd map packet_socket - Allow snort create and use blootooth socket - Allow systemd watch and watch_reads console devices - Allow snort create and use generic netlink socket - Allow NetworkManager dbus chat with fwupd - Allow unconfined domains read/write domain perf_events - Allow scripts to enter LUKS password - Update mount_manage_pid_files() to use manage_files_pattern - Support hitless reloads feature in haproxy - Allow haproxy list the sysfs directories content - Allow gnome at-spi processes get attributes of tmpfs filesystems - Allow unbound connectto unix_stream_socket - Allow rhsmcertd_t dbus chat with anaconda install_t * Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1 - cleanup unused codes - Fix typo in the gnome_exec_atspi() interface summary - Allow xdm execute gnome-atspi services - Allow gnome at-spi processes execute dbus-daemon in caller domain - Allow xdm watch dbus configuration - Allow xdm execute dbus-daemon in the caller domain - Revert "Allow xdm_t transition to system_dbusd_t" - Allow at-spi-bus-launcher read and map xdm pid files - Allow dhcpcd set its resource limits - Allow systemd-sleep get removable devices attributes - Allow usbmuxd get attributes of fs_t filesystems * Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1 - Update the dhcp client local policy - Allow firewalld load kernel modules - Allow postfix_domain to sendto unix dgram sockets. - Allow systemd watch unallocated ttys * Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1 - Allow ModemManager create a qipcrtr socket - Allow ModemManager request to load a kernel module - Label /usr/sbin/virtproxyd as virtd_exec_t - Allow communication between at-spi and gdm processes - Update ica_filetrans_named_content() with create_file_perms - Fix the gnome_atspi_domtrans() interface summary * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-5 - Add ica module to modules-targeted-contrib.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-4 - Add trailing \ to the relabel() block which is needed even in a comment * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3 - Add ica module to modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-2 - Relabel /var/lib/rpm explicitly - Revert "Relabel /dev/dma_heap explicitly" * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-1 - Add support for at-spi - Add permissions for system dbus processes - Allow various domains work with ICA crypto accelerator - Add ica module - Revert "Support using ICA crypto accelerator on s390x arch" - Allow systemd to delete fwupd var cache files - Allow vmtools_unconfined_t domain transition to rpm_script_t - Allow dirsrv read slapd tmpfs files - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" - Rename samba_exec() to samba_exec_net() - Support using ICA crypto accelerator on s390x arch - Allow systemd delete /run/systemd/default-hostname - Allow tcpdump read system state information in /proc - Allow rhsmcertd to create cache file in /var/cache/cloud-what - Allow D-bus communication between avahi and sosreport - Label /usr/libexec/gdm-runtime-config with xdm_exec_t - Allow lldpad send to kdumpctl over a unix dgram socket - Revert "Allow lldpad send to kdump over a unix dgram socket" - Allow chronyc respond to a user chronyd instance - Allow ptp4l respond to pmc - Allow lldpad send to unconfined_t over a unix dgram socket - Allow sssd to set samba setting * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 34.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1 - Allow radius map its library files - Allow nftables read NetworkManager unnamed pipes - Allow logrotate rotate container log files * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-2 - Remove temporary explicit /dev/nvme relabeling * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd -sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems * Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1 - Allow usbmuxd get attributes of cgroup filesystems - Allow accounts-daemon get attributes of cgroup filesystems - Allow pool-geoclue get attributes of cgroup filesystems - allow systemd-sleep to set timer for suspend-then-hibernate - Allow aide connect to systemd-userdbd with a unix socket - Add new interfaces with watch_mount and watch_with_perm permissions - Add file context specification for /usr/libexec/realmd - Allow /tmp file transition for dbus-daemon also for sock_file - Allow login_userdomain create cgroup files - Allow plymouthd_t exec generic program in bin directories * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
/usr/bin/macro-expander /usr/share/selinux/devel /usr/share/selinux/devel/Makefile /usr/share/selinux/devel/example.fc /usr/share/selinux/devel/example.if /usr/share/selinux/devel/example.te /usr/share/selinux/devel/html /usr/share/selinux/devel/html/Fedora release 37 (Thirty Seven).html /usr/share/selinux/devel/html/style.css /usr/share/selinux/devel/include /usr/share/selinux/devel/include/Makefile /usr/share/selinux/devel/include/admin /usr/share/selinux/devel/include/admin.xml /usr/share/selinux/devel/include/admin/bootloader.if /usr/share/selinux/devel/include/admin/consoletype.if /usr/share/selinux/devel/include/admin/dmesg.if /usr/share/selinux/devel/include/admin/netutils.if /usr/share/selinux/devel/include/admin/su.if /usr/share/selinux/devel/include/admin/sudo.if /usr/share/selinux/devel/include/admin/usermanage.if /usr/share/selinux/devel/include/apps /usr/share/selinux/devel/include/apps.xml /usr/share/selinux/devel/include/apps/seunshare.if /usr/share/selinux/devel/include/build.conf /usr/share/selinux/devel/include/contrib /usr/share/selinux/devel/include/contrib.xml /usr/share/selinux/devel/include/contrib/abrt.if /usr/share/selinux/devel/include/contrib/accountsd.if /usr/share/selinux/devel/include/contrib/acct.if /usr/share/selinux/devel/include/contrib/afs.if /usr/share/selinux/devel/include/contrib/aiccu.if /usr/share/selinux/devel/include/contrib/aide.if /usr/share/selinux/devel/include/contrib/aisexec.if /usr/share/selinux/devel/include/contrib/ajaxterm.if /usr/share/selinux/devel/include/contrib/alsa.if /usr/share/selinux/devel/include/contrib/amanda.if /usr/share/selinux/devel/include/contrib/amavis.if /usr/share/selinux/devel/include/contrib/amtu.if /usr/share/selinux/devel/include/contrib/anaconda.if /usr/share/selinux/devel/include/contrib/antivirus.if /usr/share/selinux/devel/include/contrib/apache.if /usr/share/selinux/devel/include/contrib/apcupsd.if /usr/share/selinux/devel/include/contrib/apm.if /usr/share/selinux/devel/include/contrib/apt.if /usr/share/selinux/devel/include/contrib/arpwatch.if /usr/share/selinux/devel/include/contrib/asterisk.if /usr/share/selinux/devel/include/contrib/authconfig.if /usr/share/selinux/devel/include/contrib/automount.if /usr/share/selinux/devel/include/contrib/avahi.if /usr/share/selinux/devel/include/contrib/awstats.if /usr/share/selinux/devel/include/contrib/backup.if /usr/share/selinux/devel/include/contrib/bacula.if /usr/share/selinux/devel/include/contrib/bcfg2.if /usr/share/selinux/devel/include/contrib/bind.if /usr/share/selinux/devel/include/contrib/bird.if /usr/share/selinux/devel/include/contrib/bitlbee.if /usr/share/selinux/devel/include/contrib/blkmapd.if /usr/share/selinux/devel/include/contrib/blueman.if /usr/share/selinux/devel/include/contrib/bluetooth.if /usr/share/selinux/devel/include/contrib/boinc.if /usr/share/selinux/devel/include/contrib/boltd.if /usr/share/selinux/devel/include/contrib/brctl.if /usr/share/selinux/devel/include/contrib/brltty.if /usr/share/selinux/devel/include/contrib/bugzilla.if /usr/share/selinux/devel/include/contrib/bumblebee.if /usr/share/selinux/devel/include/contrib/cachefilesd.if /usr/share/selinux/devel/include/contrib/calamaris.if /usr/share/selinux/devel/include/contrib/callweaver.if /usr/share/selinux/devel/include/contrib/canna.if /usr/share/selinux/devel/include/contrib/ccs.if /usr/share/selinux/devel/include/contrib/cdrecord.if /usr/share/selinux/devel/include/contrib/certmaster.if /usr/share/selinux/devel/include/contrib/certmonger.if /usr/share/selinux/devel/include/contrib/certwatch.if /usr/share/selinux/devel/include/contrib/cfengine.if /usr/share/selinux/devel/include/contrib/cgroup.if /usr/share/selinux/devel/include/contrib/chrome.if /usr/share/selinux/devel/include/contrib/chronyd.if /usr/share/selinux/devel/include/contrib/cinder.if /usr/share/selinux/devel/include/contrib/cipe.if /usr/share/selinux/devel/include/contrib/clamav.if /usr/share/selinux/devel/include/contrib/clockspeed.if /usr/share/selinux/devel/include/contrib/clogd.if /usr/share/selinux/devel/include/contrib/cloudform.if /usr/share/selinux/devel/include/contrib/cmirrord.if /usr/share/selinux/devel/include/contrib/cobbler.if /usr/share/selinux/devel/include/contrib/cockpit.if /usr/share/selinux/devel/include/contrib/collectd.if /usr/share/selinux/devel/include/contrib/colord.if /usr/share/selinux/devel/include/contrib/comsat.if /usr/share/selinux/devel/include/contrib/condor.if /usr/share/selinux/devel/include/contrib/conman.if /usr/share/selinux/devel/include/contrib/conntrackd.if /usr/share/selinux/devel/include/contrib/consolekit.if /usr/share/selinux/devel/include/contrib/container.if /usr/share/selinux/devel/include/contrib/corosync.if /usr/share/selinux/devel/include/contrib/couchdb.if /usr/share/selinux/devel/include/contrib/courier.if /usr/share/selinux/devel/include/contrib/cpucontrol.if /usr/share/selinux/devel/include/contrib/cpufreqselector.if /usr/share/selinux/devel/include/contrib/cpuplug.if /usr/share/selinux/devel/include/contrib/cron.if /usr/share/selinux/devel/include/contrib/ctdb.if /usr/share/selinux/devel/include/contrib/cups.if /usr/share/selinux/devel/include/contrib/cvs.if /usr/share/selinux/devel/include/contrib/cyphesis.if /usr/share/selinux/devel/include/contrib/cyrus.if /usr/share/selinux/devel/include/contrib/daemontools.if /usr/share/selinux/devel/include/contrib/dante.if /usr/share/selinux/devel/include/contrib/dbadm.if /usr/share/selinux/devel/include/contrib/dbskk.if /usr/share/selinux/devel/include/contrib/dbus.if /usr/share/selinux/devel/include/contrib/dcc.if /usr/share/selinux/devel/include/contrib/ddclient.if /usr/share/selinux/devel/include/contrib/ddcprobe.if /usr/share/selinux/devel/include/contrib/denyhosts.if /usr/share/selinux/devel/include/contrib/devicekit.if /usr/share/selinux/devel/include/contrib/dhcp.if /usr/share/selinux/devel/include/contrib/dictd.if /usr/share/selinux/devel/include/contrib/dirmngr.if /usr/share/selinux/devel/include/contrib/dirsrv-admin.if /usr/share/selinux/devel/include/contrib/dirsrv.if /usr/share/selinux/devel/include/contrib/distcc.if /usr/share/selinux/devel/include/contrib/djbdns.if /usr/share/selinux/devel/include/contrib/dkim.if /usr/share/selinux/devel/include/contrib/dmidecode.if /usr/share/selinux/devel/include/contrib/dnsmasq.if /usr/share/selinux/devel/include/contrib/dnssec.if /usr/share/selinux/devel/include/contrib/dovecot.if /usr/share/selinux/devel/include/contrib/dpkg.if /usr/share/selinux/devel/include/contrib/drbd.if /usr/share/selinux/devel/include/contrib/dspam.if /usr/share/selinux/devel/include/contrib/entropyd.if /usr/share/selinux/devel/include/contrib/evolution.if /usr/share/selinux/devel/include/contrib/exim.if /usr/share/selinux/devel/include/contrib/fail2ban.if /usr/share/selinux/devel/include/contrib/fcoe.if /usr/share/selinux/devel/include/contrib/fedoratp.if /usr/share/selinux/devel/include/contrib/fetchmail.if /usr/share/selinux/devel/include/contrib/finger.if /usr/share/selinux/devel/include/contrib/firewalld.if /usr/share/selinux/devel/include/contrib/firewallgui.if /usr/share/selinux/devel/include/contrib/firstboot.if /usr/share/selinux/devel/include/contrib/fprintd.if /usr/share/selinux/devel/include/contrib/freeipmi.if /usr/share/selinux/devel/include/contrib/freqset.if /usr/share/selinux/devel/include/contrib/ftp.if /usr/share/selinux/devel/include/contrib/fwupd.if /usr/share/selinux/devel/include/contrib/games.if /usr/share/selinux/devel/include/contrib/gatekeeper.if /usr/share/selinux/devel/include/contrib/gdomap.if /usr/share/selinux/devel/include/contrib/geoclue.if /usr/share/selinux/devel/include/contrib/git.if /usr/share/selinux/devel/include/contrib/gitosis.if /usr/share/selinux/devel/include/contrib/glance.if /usr/share/selinux/devel/include/contrib/glusterd.if /usr/share/selinux/devel/include/contrib/gnome.if /usr/share/selinux/devel/include/contrib/gnomeclock.if /usr/share/selinux/devel/include/contrib/gpg.if /usr/share/selinux/devel/include/contrib/gpm.if /usr/share/selinux/devel/include/contrib/gpsd.if /usr/share/selinux/devel/include/contrib/gssproxy.if /usr/share/selinux/devel/include/contrib/hadoop.if /usr/share/selinux/devel/include/contrib/hddtemp.if /usr/share/selinux/devel/include/contrib/hostapd.if /usr/share/selinux/devel/include/contrib/howl.if /usr/share/selinux/devel/include/contrib/hsqldb.if /usr/share/selinux/devel/include/contrib/hwloc.if /usr/share/selinux/devel/include/contrib/hypervkvp.if /usr/share/selinux/devel/include/contrib/i18n_input.if /usr/share/selinux/devel/include/contrib/ibacm.if /usr/share/selinux/devel/include/contrib/ica.if /usr/share/selinux/devel/include/contrib/icecast.if /usr/share/selinux/devel/include/contrib/ifplugd.if /usr/share/selinux/devel/include/contrib/imaze.if /usr/share/selinux/devel/include/contrib/inetd.if /usr/share/selinux/devel/include/contrib/inn.if /usr/share/selinux/devel/include/contrib/insights_client.if /usr/share/selinux/devel/include/contrib/iodine.if /usr/share/selinux/devel/include/contrib/iotop.if /usr/share/selinux/devel/include/contrib/ipa.if /usr/share/selinux/devel/include/contrib/ipmievd.if /usr/share/selinux/devel/include/contrib/irc.if /usr/share/selinux/devel/include/contrib/ircd.if /usr/share/selinux/devel/include/contrib/irqbalance.if /usr/share/selinux/devel/include/contrib/iscsi.if /usr/share/selinux/devel/include/contrib/isns.if /usr/share/selinux/devel/include/contrib/jabber.if /usr/share/selinux/devel/include/contrib/java.if /usr/share/selinux/devel/include/contrib/jetty.if /usr/share/selinux/devel/include/contrib/jockey.if /usr/share/selinux/devel/include/contrib/journalctl.if /usr/share/selinux/devel/include/contrib/kdump.if /usr/share/selinux/devel/include/contrib/kdumpgui.if /usr/share/selinux/devel/include/contrib/keepalived.if /usr/share/selinux/devel/include/contrib/kerberos.if /usr/share/selinux/devel/include/contrib/kerneloops.if /usr/share/selinux/devel/include/contrib/keyboardd.if /usr/share/selinux/devel/include/contrib/keystone.if /usr/share/selinux/devel/include/contrib/kismet.if /usr/share/selinux/devel/include/contrib/kmscon.if /usr/share/selinux/devel/include/contrib/kpatch.if /usr/share/selinux/devel/include/contrib/ksmtuned.if /usr/share/selinux/devel/include/contrib/ktalk.if /usr/share/selinux/devel/include/contrib/l2tp.if /usr/share/selinux/devel/include/contrib/ldap.if /usr/share/selinux/devel/include/contrib/lightsquid.if /usr/share/selinux/devel/include/contrib/likewise.if /usr/share/selinux/devel/include/contrib/linuxptp.if /usr/share/selinux/devel/include/contrib/lircd.if /usr/share/selinux/devel/include/contrib/livecd.if /usr/share/selinux/devel/include/contrib/lldpad.if /usr/share/selinux/devel/include/contrib/loadkeys.if /usr/share/selinux/devel/include/contrib/lockdev.if /usr/share/selinux/devel/include/contrib/logrotate.if /usr/share/selinux/devel/include/contrib/logwatch.if /usr/share/selinux/devel/include/contrib/lpd.if /usr/share/selinux/devel/include/contrib/lsm.if /usr/share/selinux/devel/include/contrib/lttng-tools.if /usr/share/selinux/devel/include/contrib/mailman.if /usr/share/selinux/devel/include/contrib/mailscanner.if /usr/share/selinux/devel/include/contrib/man2html.if /usr/share/selinux/devel/include/contrib/mandb.if /usr/share/selinux/devel/include/contrib/mcelog.if /usr/share/selinux/devel/include/contrib/mediawiki.if /usr/share/selinux/devel/include/contrib/memcached.if /usr/share/selinux/devel/include/contrib/milter.if /usr/share/selinux/devel/include/contrib/minidlna.if /usr/share/selinux/devel/include/contrib/minissdpd.if /usr/share/selinux/devel/include/contrib/mip6d.if /usr/share/selinux/devel/include/contrib/mirrormanager.if /usr/share/selinux/devel/include/contrib/mock.if /usr/share/selinux/devel/include/contrib/modemmanager.if /usr/share/selinux/devel/include/contrib/mojomojo.if /usr/share/selinux/devel/include/contrib/mon_statd.if /usr/share/selinux/devel/include/contrib/mongodb.if /usr/share/selinux/devel/include/contrib/mono.if /usr/share/selinux/devel/include/contrib/monop.if /usr/share/selinux/devel/include/contrib/motion.if /usr/share/selinux/devel/include/contrib/mozilla.if /usr/share/selinux/devel/include/contrib/mpd.if /usr/share/selinux/devel/include/contrib/mplayer.if /usr/share/selinux/devel/include/contrib/mrtg.if /usr/share/selinux/devel/include/contrib/mta.if /usr/share/selinux/devel/include/contrib/munin.if /usr/share/selinux/devel/include/contrib/mysql.if /usr/share/selinux/devel/include/contrib/mythtv.if /usr/share/selinux/devel/include/contrib/naemon.if /usr/share/selinux/devel/include/contrib/nagios.if /usr/share/selinux/devel/include/contrib/namespace.if /usr/share/selinux/devel/include/contrib/ncftool.if /usr/share/selinux/devel/include/contrib/nessus.if /usr/share/selinux/devel/include/contrib/networkmanager.if /usr/share/selinux/devel/include/contrib/ninfod.if /usr/share/selinux/devel/include/contrib/nis.if /usr/share/selinux/devel/include/contrib/nova.if /usr/share/selinux/devel/include/contrib/nscd.if /usr/share/selinux/devel/include/contrib/nsd.if /usr/share/selinux/devel/include/contrib/nslcd.if /usr/share/selinux/devel/include/contrib/ntop.if /usr/share/selinux/devel/include/contrib/ntp.if /usr/share/selinux/devel/include/contrib/numad.if /usr/share/selinux/devel/include/contrib/nut.if /usr/share/selinux/devel/include/contrib/nx.if /usr/share/selinux/devel/include/contrib/oav.if /usr/share/selinux/devel/include/contrib/obex.if /usr/share/selinux/devel/include/contrib/oddjob.if /usr/share/selinux/devel/include/contrib/oident.if /usr/share/selinux/devel/include/contrib/opafm.if /usr/share/selinux/devel/include/contrib/openca.if /usr/share/selinux/devel/include/contrib/openct.if /usr/share/selinux/devel/include/contrib/opendnssec.if /usr/share/selinux/devel/include/contrib/openfortivpn.if /usr/share/selinux/devel/include/contrib/openhpid.if /usr/share/selinux/devel/include/contrib/openshift-origin.if /usr/share/selinux/devel/include/contrib/openshift.if /usr/share/selinux/devel/include/contrib/opensm.if /usr/share/selinux/devel/include/contrib/openvpn.if /usr/share/selinux/devel/include/contrib/openvswitch.if /usr/share/selinux/devel/include/contrib/openwsman.if /usr/share/selinux/devel/include/contrib/oracleasm.if /usr/share/selinux/devel/include/contrib/osad.if /usr/share/selinux/devel/include/contrib/pacemaker.if /usr/share/selinux/devel/include/contrib/pads.if /usr/share/selinux/devel/include/contrib/passenger.if /usr/share/selinux/devel/include/contrib/pcmcia.if /usr/share/selinux/devel/include/contrib/pcp.if /usr/share/selinux/devel/include/contrib/pcscd.if /usr/share/selinux/devel/include/contrib/pdns.if /usr/share/selinux/devel/include/contrib/pegasus.if /usr/share/selinux/devel/include/contrib/perdition.if /usr/share/selinux/devel/include/contrib/pesign.if /usr/share/selinux/devel/include/contrib/pingd.if /usr/share/selinux/devel/include/contrib/piranha.if /usr/share/selinux/devel/include/contrib/pkcs.if /usr/share/selinux/devel/include/contrib/pkcs11proxyd.if /usr/share/selinux/devel/include/contrib/pki.if /usr/share/selinux/devel/include/contrib/plymouthd.if /usr/share/selinux/devel/include/contrib/podsleuth.if /usr/share/selinux/devel/include/contrib/policykit.if /usr/share/selinux/devel/include/contrib/polipo.if /usr/share/selinux/devel/include/contrib/portage.if /usr/share/selinux/devel/include/contrib/portmap.if /usr/share/selinux/devel/include/contrib/portreserve.if /usr/share/selinux/devel/include/contrib/portslave.if /usr/share/selinux/devel/include/contrib/postfix.if /usr/share/selinux/devel/include/contrib/postfixpolicyd.if /usr/share/selinux/devel/include/contrib/postgrey.if /usr/share/selinux/devel/include/contrib/ppp.if /usr/share/selinux/devel/include/contrib/prelink.if /usr/share/selinux/devel/include/contrib/prelude.if /usr/share/selinux/devel/include/contrib/privoxy.if /usr/share/selinux/devel/include/contrib/procmail.if /usr/share/selinux/devel/include/contrib/prosody.if /usr/share/selinux/devel/include/contrib/psad.if /usr/share/selinux/devel/include/contrib/ptchown.if /usr/share/selinux/devel/include/contrib/publicfile.if /usr/share/selinux/devel/include/contrib/pulseaudio.if /usr/share/selinux/devel/include/contrib/puppet.if /usr/share/selinux/devel/include/contrib/pwauth.if /usr/share/selinux/devel/include/contrib/pxe.if /usr/share/selinux/devel/include/contrib/pyzor.if /usr/share/selinux/devel/include/contrib/qemu.if /usr/share/selinux/devel/include/contrib/qmail.if /usr/share/selinux/devel/include/contrib/qpid.if /usr/share/selinux/devel/include/contrib/quantum.if /usr/share/selinux/devel/include/contrib/quota.if /usr/share/selinux/devel/include/contrib/rabbitmq.if /usr/share/selinux/devel/include/contrib/radius.if /usr/share/selinux/devel/include/contrib/radvd.if /usr/share/selinux/devel/include/contrib/raid.if /usr/share/selinux/devel/include/contrib/rasdaemon.if /usr/share/selinux/devel/include/contrib/razor.if /usr/share/selinux/devel/include/contrib/rdisc.if /usr/share/selinux/devel/include/contrib/readahead.if /usr/share/selinux/devel/include/contrib/realmd.if /usr/share/selinux/devel/include/contrib/redis.if /usr/share/selinux/devel/include/contrib/remotelogin.if /usr/share/selinux/devel/include/contrib/resmgr.if /usr/share/selinux/devel/include/contrib/rgmanager.if /usr/share/selinux/devel/include/contrib/rhcd.if /usr/share/selinux/devel/include/contrib/rhcs.if /usr/share/selinux/devel/include/contrib/rhev.if /usr/share/selinux/devel/include/contrib/rhgb.if /usr/share/selinux/devel/include/contrib/rhnsd.if /usr/share/selinux/devel/include/contrib/rhsmcertd.if /usr/share/selinux/devel/include/contrib/ricci.if /usr/share/selinux/devel/include/contrib/rkhunter.if /usr/share/selinux/devel/include/contrib/rkt.if /usr/share/selinux/devel/include/contrib/rlogin.if /usr/share/selinux/devel/include/contrib/rngd.if /usr/share/selinux/devel/include/contrib/rolekit.if /usr/share/selinux/devel/include/contrib/roundup.if /usr/share/selinux/devel/include/contrib/rpc.if /usr/share/selinux/devel/include/contrib/rpcbind.if /usr/share/selinux/devel/include/contrib/rpm.if /usr/share/selinux/devel/include/contrib/rrdcached.if /usr/share/selinux/devel/include/contrib/rshd.if /usr/share/selinux/devel/include/contrib/rssh.if /usr/share/selinux/devel/include/contrib/rsync.if /usr/share/selinux/devel/include/contrib/rtas.if /usr/share/selinux/devel/include/contrib/rtkit.if /usr/share/selinux/devel/include/contrib/rwho.if /usr/share/selinux/devel/include/contrib/samba.if /usr/share/selinux/devel/include/contrib/sambagui.if /usr/share/selinux/devel/include/contrib/samhain.if /usr/share/selinux/devel/include/contrib/sandbox.if /usr/share/selinux/devel/include/contrib/sandboxX.if /usr/share/selinux/devel/include/contrib/sanlock.if /usr/share/selinux/devel/include/contrib/sasl.if /usr/share/selinux/devel/include/contrib/sbd.if /usr/share/selinux/devel/include/contrib/sblim.if /usr/share/selinux/devel/include/contrib/screen.if /usr/share/selinux/devel/include/contrib/sectoolm.if /usr/share/selinux/devel/include/contrib/sendmail.if /usr/share/selinux/devel/include/contrib/sensord.if /usr/share/selinux/devel/include/contrib/setroubleshoot.if /usr/share/selinux/devel/include/contrib/sge.if /usr/share/selinux/devel/include/contrib/shorewall.if /usr/share/selinux/devel/include/contrib/shutdown.if /usr/share/selinux/devel/include/contrib/slocate.if /usr/share/selinux/devel/include/contrib/slpd.if /usr/share/selinux/devel/include/contrib/slrnpull.if /usr/share/selinux/devel/include/contrib/smartmon.if /usr/share/selinux/devel/include/contrib/smokeping.if /usr/share/selinux/devel/include/contrib/smoltclient.if /usr/share/selinux/devel/include/contrib/smsd.if /usr/share/selinux/devel/include/contrib/smstools.if /usr/share/selinux/devel/include/contrib/snapper.if /usr/share/selinux/devel/include/contrib/snmp.if /usr/share/selinux/devel/include/contrib/snort.if /usr/share/selinux/devel/include/contrib/sosreport.if /usr/share/selinux/devel/include/contrib/soundserver.if /usr/share/selinux/devel/include/contrib/spamassassin.if /usr/share/selinux/devel/include/contrib/speech-dispatcher.if /usr/share/selinux/devel/include/contrib/squid.if /usr/share/selinux/devel/include/contrib/sslh.if /usr/share/selinux/devel/include/contrib/sssd.if /usr/share/selinux/devel/include/contrib/stalld.if /usr/share/selinux/devel/include/contrib/stapserver.if /usr/share/selinux/devel/include/contrib/stratisd.if /usr/share/selinux/devel/include/contrib/stunnel.if /usr/share/selinux/devel/include/contrib/svnserve.if /usr/share/selinux/devel/include/contrib/swift.if /usr/share/selinux/devel/include/contrib/sxid.if /usr/share/selinux/devel/include/contrib/sysstat.if /usr/share/selinux/devel/include/contrib/tangd.if /usr/share/selinux/devel/include/contrib/targetd.if /usr/share/selinux/devel/include/contrib/tcpd.if /usr/share/selinux/devel/include/contrib/tcsd.if /usr/share/selinux/devel/include/contrib/telepathy.if /usr/share/selinux/devel/include/contrib/telnet.if /usr/share/selinux/devel/include/contrib/tftp.if /usr/share/selinux/devel/include/contrib/tgtd.if /usr/share/selinux/devel/include/contrib/thin.if /usr/share/selinux/devel/include/contrib/thumb.if /usr/share/selinux/devel/include/contrib/thunderbird.if /usr/share/selinux/devel/include/contrib/timedatex.if /usr/share/selinux/devel/include/contrib/timidity.if /usr/share/selinux/devel/include/contrib/tlp.if /usr/share/selinux/devel/include/contrib/tmpreaper.if /usr/share/selinux/devel/include/contrib/tomcat.if /usr/share/selinux/devel/include/contrib/tor.if /usr/share/selinux/devel/include/contrib/transproxy.if /usr/share/selinux/devel/include/contrib/tripwire.if /usr/share/selinux/devel/include/contrib/tuned.if /usr/share/selinux/devel/include/contrib/tvtime.if /usr/share/selinux/devel/include/contrib/tzdata.if /usr/share/selinux/devel/include/contrib/ucspitcp.if /usr/share/selinux/devel/include/contrib/ulogd.if /usr/share/selinux/devel/include/contrib/uml.if /usr/share/selinux/devel/include/contrib/updfstab.if /usr/share/selinux/devel/include/contrib/uptime.if /usr/share/selinux/devel/include/contrib/usbmodules.if /usr/share/selinux/devel/include/contrib/usbmuxd.if /usr/share/selinux/devel/include/contrib/userhelper.if /usr/share/selinux/devel/include/contrib/usernetctl.if /usr/share/selinux/devel/include/contrib/uucp.if /usr/share/selinux/devel/include/contrib/uuidd.if /usr/share/selinux/devel/include/contrib/uwimap.if /usr/share/selinux/devel/include/contrib/varnishd.if /usr/share/selinux/devel/include/contrib/vbetool.if /usr/share/selinux/devel/include/contrib/vdagent.if /usr/share/selinux/devel/include/contrib/vhostmd.if /usr/share/selinux/devel/include/contrib/virt.if /usr/share/selinux/devel/include/contrib/vlock.if /usr/share/selinux/devel/include/contrib/vmtools.if /usr/share/selinux/devel/include/contrib/vmware.if /usr/share/selinux/devel/include/contrib/vnstatd.if /usr/share/selinux/devel/include/contrib/vpn.if /usr/share/selinux/devel/include/contrib/w3c.if /usr/share/selinux/devel/include/contrib/watchdog.if /usr/share/selinux/devel/include/contrib/wdmd.if /usr/share/selinux/devel/include/contrib/webadm.if /usr/share/selinux/devel/include/contrib/webalizer.if /usr/share/selinux/devel/include/contrib/wine.if /usr/share/selinux/devel/include/contrib/wireguard.if /usr/share/selinux/devel/include/contrib/wireshark.if /usr/share/selinux/devel/include/contrib/wm.if /usr/share/selinux/devel/include/contrib/xen.if /usr/share/selinux/devel/include/contrib/xfs.if /usr/share/selinux/devel/include/contrib/xscreensaver.if /usr/share/selinux/devel/include/contrib/zabbix.if /usr/share/selinux/devel/include/contrib/zarafa.if /usr/share/selinux/devel/include/contrib/zebra.if /usr/share/selinux/devel/include/contrib/zoneminder.if /usr/share/selinux/devel/include/contrib/zosremote.if /usr/share/selinux/devel/include/global_booleans.xml /usr/share/selinux/devel/include/global_tunables.xml /usr/share/selinux/devel/include/kernel /usr/share/selinux/devel/include/kernel.xml /usr/share/selinux/devel/include/kernel/corecommands.if /usr/share/selinux/devel/include/kernel/corenetwork.if /usr/share/selinux/devel/include/kernel/devices.if /usr/share/selinux/devel/include/kernel/domain.if /usr/share/selinux/devel/include/kernel/files.if /usr/share/selinux/devel/include/kernel/filesystem.if /usr/share/selinux/devel/include/kernel/kernel.if /usr/share/selinux/devel/include/kernel/mcs.if /usr/share/selinux/devel/include/kernel/mls.if /usr/share/selinux/devel/include/kernel/selinux.if /usr/share/selinux/devel/include/kernel/storage.if /usr/share/selinux/devel/include/kernel/terminal.if /usr/share/selinux/devel/include/kernel/ubac.if /usr/share/selinux/devel/include/kernel/unlabelednet.if /usr/share/selinux/devel/include/roles /usr/share/selinux/devel/include/roles.xml /usr/share/selinux/devel/include/roles/auditadm.if /usr/share/selinux/devel/include/roles/guest.if /usr/share/selinux/devel/include/roles/logadm.if /usr/share/selinux/devel/include/roles/secadm.if /usr/share/selinux/devel/include/roles/staff.if /usr/share/selinux/devel/include/roles/sysadm.if /usr/share/selinux/devel/include/roles/sysadm_secadm.if /usr/share/selinux/devel/include/roles/unconfineduser.if /usr/share/selinux/devel/include/roles/unprivuser.if /usr/share/selinux/devel/include/roles/xguest.if /usr/share/selinux/devel/include/services /usr/share/selinux/devel/include/services.xml /usr/share/selinux/devel/include/services/postgresql.if /usr/share/selinux/devel/include/services/ssh.if /usr/share/selinux/devel/include/services/xserver.if /usr/share/selinux/devel/include/support /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/divert.m4 /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/loadable_module.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/policy.dtd /usr/share/selinux/devel/include/support/segenxml.py /usr/share/selinux/devel/include/support/undivert.m4 /usr/share/selinux/devel/include/system /usr/share/selinux/devel/include/system.xml /usr/share/selinux/devel/include/system/application.if /usr/share/selinux/devel/include/system/authlogin.if /usr/share/selinux/devel/include/system/clock.if /usr/share/selinux/devel/include/system/fstools.if /usr/share/selinux/devel/include/system/getty.if /usr/share/selinux/devel/include/system/hostname.if /usr/share/selinux/devel/include/system/init.if /usr/share/selinux/devel/include/system/ipsec.if /usr/share/selinux/devel/include/system/iptables.if /usr/share/selinux/devel/include/system/libraries.if /usr/share/selinux/devel/include/system/locallogin.if /usr/share/selinux/devel/include/system/logging.if /usr/share/selinux/devel/include/system/lvm.if /usr/share/selinux/devel/include/system/miscfiles.if /usr/share/selinux/devel/include/system/modutils.if /usr/share/selinux/devel/include/system/mount.if /usr/share/selinux/devel/include/system/netlabel.if /usr/share/selinux/devel/include/system/selinuxutil.if /usr/share/selinux/devel/include/system/setrans.if /usr/share/selinux/devel/include/system/sysnetwork.if /usr/share/selinux/devel/include/system/systemd.if /usr/share/selinux/devel/include/system/udev.if /usr/share/selinux/devel/include/system/unconfined.if /usr/share/selinux/devel/include/system/userdomain.if /usr/share/selinux/devel/policy.dtd /usr/share/selinux/devel/policy.xml /var/lib/sepolgen/interface_info
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu May 9 20:22:59 2024