From e975ee51ee2d9aa76c15d768234f36162737911c Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: May 15 2023 14:34:30 +0000 Subject: Trim changelog so that it starts at F36 time --- diff --git a/selinux-policy.spec b/selinux-policy.spec index 6f17873..aa21648 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -24,7 +24,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 37.21 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -813,6 +813,9 @@ exit 0 %endif %changelog +* Mon May 15 2023 Zdenek Pytela - 37.21-2 +- Trim changelog so that it starts at F36 time + * Mon May 15 2023 Zdenek Pytela - 37.21-1 - Allow rpmdb_migrate execute rpmdb - Allow logrotate dbus chat with systemd-hostnamed @@ -1311,180 +1314,3 @@ exit 0 - Allow sanlock get attributes of filesystems with extended attributes - Associate stratisd_data_t with device filesystem - Allow init read stratis data symlinks - -* Tue Feb 01 2022 Zdenek Pytela - 35.13-1 -- Allow systemd services watch dbusd pid directory and its parents -- Allow ModemManager connect to the unconfined user domain -- Label /dev/wwan.+ with modem_manager_t -- Allow alsactl set group Process ID of a process -- Allow domtrans to sssd_t and role access to sssd -- Creating interface sssd_run_sssd() -- Label utilities for exFAT filesystems with fsadm_exec_t -- Label /dev/nvme-fabrics with fixed_disk_device_t -- Allow init delete generic tmp named pipes -- Allow timedatex dbus chat with xdm - -* Wed Jan 26 2022 Zdenek Pytela - 35.12-1 -- Fix badly indented used interfaces -- Allow domain transition to sssd_t -- Dontaudit sfcbd sys_ptrace cap_userns -- Label /var/lib/plocate with locate_var_lib_t -- Allow hostapd talk with unconfined user over unix domain dgram socket -- Allow NetworkManager talk with unconfined user over unix domain dgram socket -- Allow system_mail_t read inherited apache system content rw files -- Add apache_read_inherited_sys_content_rw_files() interface -- Allow rhsm-service execute its private memfd: objects -- Allow dirsrv read configfs files and directories -- Label /run/stratisd with stratisd_var_run_t -- Allow tumblerd write to session_dbusd tmp socket files - -* Wed Jan 19 2022 Zdenek Pytela - 35.11-1 -- Revert "Label /etc/cockpit/ws-certs.d with cert_t" -- Allow login_userdomain write to session_dbusd tmp socket files -- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t - -* Mon Jan 17 2022 Zdenek Pytela - 35.10-1 -- Allow login_userdomain watch systemd-machined PID directories -- Allow login_userdomain watch systemd-logind PID directories -- Allow login_userdomain watch accountsd lib directories -- Allow login_userdomain watch localization directories -- Allow login_userdomain watch various files and dirs -- Allow login_userdomain watch generic directories in /tmp -- Allow rhsm-service read/write its private memfd: objects -- Allow radiusd connect to the radacct port -- Allow systemd-io-bridge ioctl rpm_script_t -- Allow systemd-coredump userns capabilities and root mounton -- Allow systemd-coredump read and write usermodehelper state -- Allow login_userdomain create session_dbusd tmp socket files -- Allow gkeyringd_domain write to session_dbusd tmp socket files -- Allow systemd-logind delete session_dbusd tmp socket files -- Allow gdm-x-session write to session dbus tmp sock files -- Label /etc/cockpit/ws-certs.d with cert_t -- Allow kpropd get attributes of cgroup filesystems -- Allow administrative users the bpf capability -- Allow sysadm_t start and stop transient services -- Connect triggerin to pcre2 instead of pcre - -* Wed Jan 12 2022 Zdenek Pytela - 35.9-1 -- Allow sshd read filesystem sysctl files -- Revert "Allow sshd read sysctl files" -- Allow tlp read its systemd unit -- Allow gssproxy access to various system files. -- Allow gssproxy read, write, and map ica tmpfs files -- Allow gssproxy read and write z90crypt device -- Allow sssd_kcm read and write z90crypt device -- Allow smbcontrol read the network state information -- Allow virt_domain map vhost devices -- Allow fcoemon request the kernel to load a module -- Allow sshd read sysctl files -- Ensure that `/run/systemd/*` are properly labeled -- Allow admin userdomains use socketpair() -- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling -- Allow lldpd connect to snmpd with a unix domain stream socket -- Dontaudit pkcsslotd sys_admin capability - -* Thu Dec 23 2021 Zdenek Pytela - 35.8-1 -- Allow haproxy get attributes of filesystems with extended attributes -- Allow haproxy get attributes of cgroup filesystems -- Allow sysadm execute sysadmctl in sysadm_t domain using sudo -- Allow userdomains use pam_ssh_agent_auth for passwordless sudo -- Allow sudodomains execute passwd in the passwd domain -- Allow braille printing in selinux -- Allow sandbox_xserver_t map sandbox_file_t -- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t -- Add hwtracing_device_t type for hardware-level tracing and debugging -- Label port 9528/tcp with openqa_liveview -- Label /var/lib/shorewall6-lite with shorewall_var_lib_t -- Document Security Flask model in the policy - -* Fri Dec 10 2021 Zdenek Pytela - 35.7-1 -- Allow systemd read unlabeled symbolic links -- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t -- Allow dnsmasq watch /etc/dnsmasq.d directories -- Allow rhsmcertd get attributes of tmpfs_t filesystems -- Allow lldpd use an snmp subagent over a tcp socket -- Allow xdm watch generic directories in /var/lib -- Allow login_userdomain open/read/map system journal -- Allow sysadm_t connect to cluster domains over a unix stream socket -- Allow sysadm_t read/write pkcs shared memory segments -- Allow sysadm_t connect to sanlock over a unix stream socket -- Allow sysadm_t dbus chat with sssd -- Allow sysadm_t set attributes on character device nodes -- Allow sysadm_t read and write watchdog devices -- Allow smbcontrol use additional socket types -- Allow cloud-init dbus chat with systemd-logind -- Allow svnserve send mail from the system -- Update userdom_exec_user_tmp_files() with an entrypoint rule -- Allow sudodomain send a null signal to sshd processes - -* Fri Nov 19 2021 Zdenek Pytela - 35.6-1 -- Allow PID 1 and dbus-broker IPC with a systemd user session -- Allow rpmdb read generic SSL certificates -- Allow rpmdb read admin home config files -- Report warning on duplicate definition of interface -- Allow redis get attributes of filesystems with extended attributes -- Allow sysadm_t dbus chat with realmd_t -- Make cupsd_lpd_t a daemon -- Allow tlp dbus-chat with NetworkManager -- filesystem: add fs_use_trans for ramfs -- Allow systemd-logind destroy unconfined user's IPC objects - -* Thu Nov 04 2021 Zdenek Pytela - 35.5-1 -- Support sanlock VG automated recovery on storage access loss 2/2 -- Support sanlock VG automated recovery on storage access loss 1/2 -- Revert "Support sanlock VG automated recovery on storage access loss" -- Allow tlp get service units status -- Allow fedora-third-party manage 3rd party repos -- Allow xdm_t nnp_transition to login_userdomain -- Add the auth_read_passwd_file() interface -- Allow redis-sentinel execute a notification script -- Allow fetchmail search cgroup directories -- Allow lvm_t to read/write devicekit disk semaphores -- Allow devicekit_disk_t to use /dev/mapper/control -- Allow devicekit_disk_t to get IPC info from the kernel -- Allow devicekit_disk_t to read systemd-logind pid files -- Allow devicekit_disk_t to mount filesystems on mnt_t directories -- Allow devicekit_disk_t to manage mount_var_run_t files -- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel -- Use $releasever in koji repo to reduce rawhide hardcoding -- authlogin: add fcontext for tcb -- Add erofs as a SELinux capable file system -- Allow systemd execute user bin files -- Support sanlock VG automated recovery on storage access loss -- Support new PING_CHECK health checker in keepalived - -* Wed Oct 20 2021 Zdenek Pytela - 35.4-1 -- Allow fedora-third-party map generic cache files -- Add gnome_map_generic_cache_files() interface -- Add files_manage_var_lib_dirs() interface -- Allow fedora-third party manage gpg keys -- Allow fedora-third-party run "flatpak remote-add --from flathub" - -* Tue Oct 19 2021 Zdenek Pytela - 35.3-1 -- Allow fedora-third-party run flatpak post-install actions -- Allow fedora-third-party set_setsched and sys_nice - -* Mon Oct 18 2021 Zdenek Pytela - 35.2-1 -- Allow fedora-third-party execute "flatpak remote-add" -- Add files_manage_var_lib_files() interface -- Add write permisson to userfaultfd_anon_inode_perms -- Allow proper function sosreport via iotop -- Allow proper function sosreport in sysadmin role -- Allow fedora-third-party to connect to the system log service -- Allow fedora-third-party dbus chat with policykit -- Allow chrony-wait service start with DynamicUser=yes -- Allow management of lnk_files if similar access to regular files -- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges -- Allow systemd-resolved watch /run/systemd -- Allow fedora-third-party create and use unix_dgram_socket -- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files -- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain - -* Thu Oct 07 2021 Zdenek Pytela - 35.1-1 -- Add fedoratp module -- Allow xdm_t domain transition to fedoratp_t -- Allow ModemManager create and use netlink route socket -- Add default file context for /run/gssproxy.default.sock -- Allow xdm_t watch fonts directories -- Allow xdm_t watch generic directories in /lib -- Allow xdm_t watch generic pid directories