- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
- Allow debugfs associate to a sysfs filesystem.
- vport is mislabeled on arm, need to be less specific
- Add relabel_user_home_dirs for use by docker_t
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.BZ(1217616)
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind. BZ(1210663)
- Allow dhcpd kill capability.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow redis to create /var/run/redis/redis.sock.
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
- Allow timemaster send a signal to ntpd.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Allow passenger to accept connection.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for iprdbg logging files in /var/log.
- Add support for mongod/mongos systemd unit files.
- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)