Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

selinux-policy-20240903-2.1 RPM for noarch

From OpenSuSE Tumbleweed for noarch

Name: selinux-policy Distribution: openSUSE Tumbleweed
Version: 20240903 Vendor: openSUSE
Release: 2.1 Build date: Wed Sep 4 15:07:52 2024
Group: System/Management Build host: reproducible
Size: 25511 Source RPM: selinux-policy-20240903-2.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/fedora-selinux/selinux-policy.git
Summary: SELinux policy configuration
A complete SELinux policy that can be used as the system policy for a variety
of systems and used as the basis for creating other policies.

Provides

Requires

License

GPL-2.0-or-later

Changelog

* Wed Sep 04 2024 Cathy Hu <cathy.hu@suse.com>
  - Fix macros.selinux-policy (bsc#1229132)
    - %selinux_modules_install and %selinux_modules_uninstall will
      now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
      (aka only if they are not in a transactional system)
    - $TRANSACTIONAL_UPDATE is set here:
      https://github.com/openSUSE/transactional-update/blob/bd524d3ddfcd9aeebb7b90d3e0e8eed09b796a86/lib/Transaction.cpp#L428
* Tue Sep 03 2024 Johannes Segitz <jsegitz@suse.com>
  - Disable build of the MLS policy. We currently don't know if it works
    and don't want to encourage users to apply it
* Tue Sep 03 2024 cathy.hu@suse.com
  - Update to version 20240903:
    * allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)
* Mon Sep 02 2024 cathy.hu@suse.com
  - Update to version 20240902:
    * Allow xen to use qemu as dom0 disk backend (bsc#1228540)
    * Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
    * Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)
* Fri Aug 30 2024 cathy.hu@suse.com
  - Update to version 20240830:
    * Allow virtstoraged to manage images (bsc#1228742)
    * Allow virtstoraged_t domtrans to udev (bsc#1228742)
* Wed Aug 28 2024 cathy.hu@suse.com
  - Update to version 20240828:
    * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)
* Mon Aug 26 2024 Cathy Hu <cathy.hu@suse.com>
  - Enable named_write_master_zones boolean by default (bsc#1229479)
* Fri Aug 23 2024 cathy.hu@suse.com
  - Update to version 20240823:
    * Allow rasdaemon write access to sysfs (bsc#1229587)
* Fri Aug 16 2024 cathy.hu@suse.com
  - Update to version 20240816:
    * Initial policy for syslog-ng (bsc#1229153)
* Wed Aug 14 2024 cathy.hu@suse.com
  - Update to version 20240814:
    * Dontaudit dac_override of fstab generator (bsc#1229127)
* Wed Aug 14 2024 Cathy Hu <cathy.hu@suse.com>
  - Drop varrun-convert.sh script as it causes issues with
    container-selinux update (bsc#1228951)
* Mon Aug 12 2024 cathy.hu@suse.com
  - Update to version 20240812:
    * Update libvirt policy
    * Add port 80/udp and 443/udp to http_port_t definition
    * Additional updates stalld policy for bpf usage
    * Label systemd-pcrextend and systemd-pcrlock properly
    * Allow coreos_installer_t work with partitions
    * Revert "Allow coreos-installer-generator work with partitions"
    * Add policy for systemd-pcrextend
    * Update policy for systemd-getty-generator
    * Allow ip command write to ipsec's logs
    * Allow virt_driver_domain read virtd-lxc files in /proc
    * Revert "Allow svirt read virtqemud fifo files"
    * Update virtqemud policy for libguestfs usage
    * Allow virtproxyd create and use its private tmp files
    * Allow virtproxyd read network state
    * Allow virt_driver_domain create and use log files in /var/log
    * Allow samba-dcerpcd work with ctdb cluster
    * Allow NetworkManager_dispatcher_t send SIGKILL to plugins
    * Allow setroubleshootd execute sendmail with a domain transition
    * Allow key.dns_resolve set attributes on the kernel key ring
    * Update qatlib policy for v24.02 with new features
    * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
    * Allow tlp status power services
    * Allow virtqemud domain transition on passt execution
    * Allow virt_driver_domain connect to systemd-userdbd over a unix socket
    * Allow boothd connect to systemd-userdbd over a unix socket
    * Update policy for awstats scripts
    * Allow bitlbee execute generic programs in system bin directories
    * Allow login_userdomain read aliases file
    * Allow login_userdomain read ipsec config files
    * Allow login_userdomain read all pid files
    * Allow rsyslog read systemd-logind session files
    * Allow libvirt-dbus stream connect to virtlxcd
* Fri Aug 09 2024 cathy.hu@suse.com
  - Update to version 20240809:
    * Label /run/udev/rules.d as udev_rules_t
    * Provide type for sysstat lock files (bsc#1228247)
    * Allow snapper to delete unlabeled_t files (bsc#1228889)
* Thu Aug 08 2024 cathy.hu@suse.com
  - Update to version 20240808:
    * Use new kanidm interfaces
    * Initial module for kanidm
    * Update bootupd policy
    * Allow rhsmcertd read/write access to /dev/papr-sysparm
    * Label /dev/papr-sysparm and /dev/papr-vpd
    * Allow abrt-dump-journal-core connect to winbindd
    * Allow systemd-hostnamed shut down nscd
    * Allow systemd-pstore send a message to syslogd over a unix domain
    * Allow postfix_domain map postfix_etc_t files
    * Allow microcode create /sys/devices/system/cpu/microcode/reload
    * Allow rhsmcertd read, write, and map ica tmpfs files
    * Support SGX devices
    * Allow initrc_t transition to passwd_t
    * Update fstab and cryptsetup generators policy
    * Allow xdm_t read and write the dma device
    * Update stalld policy for bpf usage
    * Allow systemd_gpt_generator to getattr on DOS directories
    * Make cgroup_memory_pressure_t a part of the file_type attribute
    * Allow ssh_t to change role to system_r
    * Update policy for coreos generators
    * Allow init_t nnp domain transition to firewalld_t
    * Label /run/modprobe.d with modules_conf_t
    * Allow virtnodedevd run udev with a domain transition
    * Allow virtnodedev_t create and use virtnodedev_lock_t
    * Allow virtstoraged manage files with virt_content_t type
    * Allow virtqemud unmount a filesystem with extended attributes
    * Allow svirt_t connect to unconfined_t over a unix domain socket
    * Update afterburn file transition policy
    * Allow systemd_generator read attributes of all filesystems
    * Allow fstab-generator read and write cryptsetup-generator unit file
    * Allow cryptsetup-generator read and write fstab-generator unit file
    * Allow systemd_generator map files in /etc
    * Allow systemd_generator read init's process state
    * Allow coreos-installer-generator read sssd public files
    * Allow coreos-installer-generator work with partitions
    * Label /etc/mdadm.conf.d with mdadm_conf_t
    * Confine coreos generators
    * Label /run/metadata with afterburn_runtime_t
    * Allow afterburn list ssh home directory
    * Label samba certificates with samba_cert_t
    * Label /run/coreos-installer-reboot with coreos_installer_var_run_t
    * Allow virtqemud read virt-dbus process state
    * Allow staff user dbus chat with virt-dbus
    * Allow staff use watch /run/systemd
    * Allow systemd_generator to write kmsg
    * Allow virtqemud connect to sanlock over a unix stream socket
    * Allow virtqemud relabel virt_var_run_t directories
    * Allow svirt_tcg_t read vm sysctls
    * Allow virtnodedevd connect to systemd-userdbd over a unix socket
    * Allow svirt read virtqemud fifo files
    * Allow svirt attach_queue to a virtqemud tun_socket
    * Allow virtqemud run ssh client with a transition
    * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
    * Update keyutils policy
    * Allow sshd_keygen_t connect to userdbd over a unix stream socket
    * Allow postfix-smtpd read mysql config files
    * Allow locate stream connect to systemd-userdbd
    * Allow the staff user use wireshark
    * Allow updatedb connect to userdbd over a unix stream socket
    * Allow gpg_t set attributes of public-keys.d
    * Allow gpg_t get attributes of login_userdomain stream
    * Allow systemd_getty_generator_t read /proc/1/environ
    * Allow systemd_getty_generator_t to read and write to tty_device_t
    * Drop publicfile module
    * Remove permissive domain for systemd_nsresourced_t
    * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
    * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
    * Allow to create and delete socket files created by rhsm.service
    * Allow virtnetworkd exec shell when virt_hooks_unconfined is on
    * Allow unconfined_service_t transition to passwd_t
    * Support /var is empty
    * Allow abrt-dump-journal read all non_security socket files
    * Allow timemaster write to sysfs files
    * Dontaudit domain write cgroup files
    * Label /usr/lib/node_modules/npm/bin with bin_t
    * Allow ip the setexec permission
    * Allow systemd-networkd write files in /var/lib/systemd/network
    * Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Aug 02 2024 cathy.hu@suse.com
  - Update to version 20240802:
    * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745)
* Wed Jul 31 2024 cathy.hu@suse.com
  - Update to version 20240731:
    * Initial policy for ibft-rule-generator (bsc#1228402)
    * Initial policy for systemd-status-mail (bsc#1228402)
* Wed Jul 31 2024 cathy.hu@suse.com
  - Update to version 20240731:
    * Fix labels for bind/named (bsc#1228372)
* Mon Jul 29 2024 cathy.hu@suse.com
  - Update to version 20240729:
    * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385)
    * Allow pppd to manage sysnet directories (bsc#1228385)
* Fri Jul 26 2024 cathy.hu@suse.com
  - Update to version 20240726:
    * Allow snapper grub plugin to manage unlabeled_t and read link files
* Thu Jul 25 2024 cathy.hu@suse.com
  - Update to version 20240725:
    * Initial policy for grub2 snapper plugin (bsc#1228205)
* Tue Jul 16 2024 cathy.hu@suse.com
  - Update to version 20240716:
    * Set microos autorelabel script to systemd_autorelabel_generator_t
    * Allow systemd_generator to write kmsg
    * Initial policy for systemd growpart-generator (bsc#1226824)
* Mon Jul 15 2024 cathy.hu@suse.com
  - Update to version 20240715:
    * Allow systemd_getty_generator_t read /proc/1/environ
    * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)
* Wed Jul 10 2024 cathy.hu@suse.com
  - Enable sap module
  - Add equivalency in file_contexts.subs_dist
    * /bin /usr/bin
    * /sbin /usr/bin
    * /usr/sbin /usr/bin
  - Update to version 20240710:
    * Change fc in rebootmgr module for /sbin -> /usr/bin
    * Change fc in rpm module for /sbin -> /usr/bin
    * Change fc in rsync module for /sbin -> /usr/bin
    * Change fc in wicked module for /sbin -> /usr/bin
    * Confine libvirt-dbus
    * Allow virtqemud the kill capability in user namespace
    * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
    * Allow dhcpcd the kill capability
    * Allow systemd-networkd list /var/lib/systemd/network
    * Allow sysadm_t run systemd-nsresourced bpf programs
    * Update policy for systemd generators interactions
    * Allow create memory.pressure files with cgroup_memory_pressure_t
    * Add support for libvirt hooks
    * Allow certmonger read and write tpm devices
    * Allow all domains to connect to systemd-nsresourced over a unix socket
    * Allow systemd-machined read the vsock device
    * Update policy for systemd generators
    * Allow ptp4l_t request that the kernel load a kernel module
    * Allow sbd to trace processes in user namespace
    * Allow request-key execute scripts
    * Update policy for haproxyd
    * Update policy for systemd-nsresourced
    * Correct sbin-related file context entries
    * Allow login_userdomain execute systemd-tmpfiles in the caller domain
    * Allow virt_driver_domain read files labeled unconfined_t
    * Allow virt_driver_domain dbus chat with policykit
    * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
    * Add rules for interactions between generators
    * Label memory.pressure files with cgroup_memory_pressure_t
    * Revert "Allow some systemd services write to cgroup files"
    * Update policy for systemd-nsresourced
    * Label /usr/bin/ntfsck with fsadm_exec_t
    * Allow systemd_fstab_generator_t read tmpfs files
    * Update policy for systemd-nsresourced
    * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
    * Remove a few lines duplicated between {dkim,milter}.fc
    * Alias /bin → /usr/bin and remove redundant paths
    * Drop duplicate line for /usr/sbin/unix_chkpwd
    * Drop duplicate paths for /usr/sbin
    * Update systemd-generator policy
    * Remove permissive domain for bootupd_t
    * Remove permissive domain for coreos_installer_t
    * Remove permissive domain for afterburn_t
    * Add the sap module to modules.conf
    * Move unconfined_domain(sap_unconfined_t) to an optional block
    * Create the sap module
    * Allow systemd-coredumpd sys_admin and sys_resource capabilities
    * Allow systemd-coredump read nsfs files
    * Allow generators auto file transition only for plain files
    * Allow systemd-hwdb write to the kernel messages device
    * Escape "interface" as a file name in a virt filetrans pattern
    * Allow gnome-software work for login_userdomain
    * Allow systemd-machined manage runtime sockets
    * Revert "Allow systemd-machined manage runtime sockets"
    * Allow postfix_domain connect to postgresql over a unix socket
    * Dontaudit systemd-coredump sys_admin capability
  - Update container-selinux
* Tue Jul 02 2024 cathy.hu@suse.com
  - Update to version 20240702:
    * Allow manage dosfs_t files to snapperd (bsc#1224120)
    * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
    * Add auth_rw_wtmpdb_login_records to modules
    * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
    * Introduce types for wtmpdb and rw interface
    * Introduce wtmp_file_type attribute
    * Revert "Add policy for wtmpdb (bsc#1210717)"
* Mon Jun 17 2024 cathy.hu@suse.com
  - Update to version 20240617:
    * Allow gnome control center to set autologin (bsc#1222978)
    * Dontaudit xdm_t to getattr on root_t (bsc#1223145)
* Thu Jun 13 2024 cathy.hu@suse.com
  - Update to version 20240613:
    * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
* Wed Jun 12 2024 cathy.hu@suse.com
  - Update to version 20240612:
    * Allow all domains read and write z90crypt device
    * Allow tpm2 generator setfscreate
    * Allow systemd (PID 1) manage systemd conf files
    * Allow pulseaudio map its runtime files
    * Update policy for getty-generator
    * Allow systemd-hwdb send messages to kernel unix datagram sockets
    * Allow systemd-machined manage runtime sockets
    * Allow fstab-generator create unit file symlinks
    * Update policy for cryptsetup-generator
    * Update policy for fstab-generator
    * Allow virtqemud read vm sysctls
    * Allow collectd to trace processes in user namespace
    * Allow bootupd search efivarfs dirs
    * Add policy for systemd-mountfsd
    * Add policy for systemd-nsresourced
    * Update policy generators
    * Add policy for anaconda-generator
    * Update policy for fstab and gpt generators
    * Add policy for kdump-dep-generator
    * Add policy for a generic generator
    * Add policy for tpm2 generator
    * Add policy for ssh-generator
    * Add policy for second batch of generators
    * Update policy for systemd generators
    * ci: Adjust Cockpit test plans
    * Allow journald read systemd config files and directories
    * Allow systemd_domain read systemd_conf_t dirs
    * Fix bad Python regexp escapes
    * Allow fido services connect to postgres database
    * Revert "Update the README.md file with the c10s branch information"
    * Update the README.md file with the c10s branch information
    * Allow postfix smtpd map aliases file
    * Ensure dbus communication is allowed bidirectionally
    * Label systemd configuration files with systemd_conf_t
    * Label /run/systemd/machine with systemd_machined_var_run_t
    * Allow systemd-hostnamed read the vsock device
    * Allow sysadm execute dmidecode using sudo
    * Allow sudodomain list files in /var
    * Allow setroubleshootd get attributes of all sysctls
    * Allow various services read and write z90crypt device
    * Allow nfsidmap connect to systemd-homed
    * Allow sandbox_x_client_t dbus chat with accountsd
    * Allow system_cronjob_t dbus chat with avahi_t
    * Allow staff_t the io_uring sqpoll permission
    * Allow staff_t use the io_uring API
    * Add support for secretmem anon inode
    * Allow virtqemud read vfio devices
    * Allow virtqemud get attributes of a tmpfs filesystem
    * Allow svirt_t read vm sysctls
    * Allow virtqemud create and unlink files in /etc/libvirt/
    * Allow virtqemud get attributes of cifs files
    * Allow virtqemud get attributes of filesystems with extended attributes
    * Allow virtqemud get attributes of NFS filesystems
    * Allow virt_domain read and write usb devices conditionally
    * Allow virtstoraged use the io_uring API
    * Allow virtstoraged execute lvm programs in the lvm domain
    * Allow virtnodevd_t map /var/lib files
    * Allow svirt_tcg_t map svirt_image_t files
    * Allow abrt-dump-journal-core connect to systemd-homed
    * Allow abrt-dump-journal-core connect to systemd-machined
    * Allow sssd create and use io_uring
    * Allow selinux-relabel-generator create units dir
    * Allow dbus-broker read/write inherited user ttys
    * Define transitions for /run/libvirt/common and /run/libvirt/qemu
    * Allow systemd-sleep read raw disk data
    * Allow numad to trace processes in user namespace
    * Allow abrt-dump-journal-core connect to systemd-userdbd
    * Allow plymouthd read efivarfs files
    * Update the auth_dontaudit_read_passwd_file() interface
    * Label /dev/mmcblk0rpmb character device with removable_device_t
    * fix hibernate on btrfs swapfile (F40)
    * Allow nut to statfs()
    * Allow system dbusd service status systemd services
    * Allow systemd-timedated get the timemaster service status
    * Allow keyutils-dns-resolver connect to the system log service
    * Allow qemu-ga read vm sysctls
    * postfix: allow qmgr to delete mails in bounce/ directory
* Mon Jun 03 2024 Johannes Segitz <jsegitz@suse.com>
  - Remove "Reference" from the package description. It's not the
    reference policy, but the Fedora branch of the policy
* Tue May 28 2024 Cathy Hu <cathy.hu@suse.com>
  - Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
    python36 tooling
* Wed May 08 2024 Johannes Segitz <jsegitz@suse.com>
  - Fixed varrun-convert.sh script to not break because of duplicate
    entries
* Mon May 06 2024 Johannes Segitz <jsegitz@suse.com>
  - Move to %posttrans to ensure selinux-policy got updated before
    the commands run (bsc#1221720)
* Mon Apr 15 2024 Cathy Hu <cathy.hu@suse.com>
  - Add file contexts "forwarding" to file_contexts.sub_dist
    to fix systemd-gpt-auto-generator and systemd-fstab-generator
    (bsc#1222736):
    * /run/systemd/generator.early /usr/lib/systemd/system
    * /run/systemd/generator.late /usr/lib/systemd/system
* Thu Apr 11 2024 cathy.hu@suse.com
  - Update to version 20240411:
    * Remove duplicate in sysnetwork.fc
    * Rename /var/run/wicked* to /run/wicked*
    * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
    * policy: support pidfs
    * Confine selinux-autorelabel-generator.sh
    * Allow logwatch_mail_t read/write to init over a unix stream socket
    * Allow logwatch read logind sessions files
    * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
    * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
    * Allow NetworkManager the sys_ptrace capability in user namespace
    * dontaudit execmem for modemmanager
    * Allow dhcpcd use unix_stream_socket
    * Allow dhcpc read /run/netns files
    * Update mmap_rw_file_perms to include the lock permission
    * Allow plymouthd log during shutdown
    * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
    * Allow journalctl_t read filesystem sysctls
    * Allow cgred_t to get attributes of cgroup filesystems
    * Allow wdmd read hardware state information
    * Allow wdmd list the contents of the sysfs directories
    * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
    * Allow sulogin relabel tty1
    * Dontaudit sulogin the checkpoint_restore capability
    * Modify sudo_role_template() to allow getpgid
    * Allow userdomain get attributes of files on an nsfs filesystem
    * Allow opafm create NFS files and directories
    * Allow virtqemud create and unlink files in /etc/libvirt/
    * Allow virtqemud domain transition on swtpm execution
    * Add the swtpm.if interface file for interactions with other domains
    * Allow samba to have dac_override capability
    * systemd: allow sys_admin capability for systemd_notify_t
    * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
    * Allow thumb_t to watch and watch_reads mount_var_run_t
    * Allow krb5kdc_t map krb5kdc_principal_t files
    * Allow unprivileged confined user dbus chat with setroubleshoot
    * Allow login_userdomain map files in /var
    * Allow wireguard work with firewall-cmd
    * Differentiate between staff and sysadm when executing crontab with sudo
    * Add crontab_admin_domtrans interface
    * Allow abrt_t nnp domain transition to abrt_handle_event_t
    * Allow xdm_t to watch and watch_reads mount_var_run_t
    * Dontaudit subscription manager setfscreate and read file contexts
    * Don't audit crontab_domain write attempts to user home
    * Transition from sudodomains to crontab_t when executing crontab_exec_t
    * Add crontab_domtrans interface
    * Fix label of pseudoterminals created from sudodomain
    * Allow utempter_t use ptmx
    * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
    * Allow admin user read/write on fixed_disk_device_t
    * Only allow confined user domains to login locally without unconfined_login
    * Add userdom_spec_domtrans_confined_admin_users interface
    * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
    * Add userdom_spec_domtrans_admin_users interface
    * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
    * Update ssh_role_template() for user ssh-agent type
    * Allow init to inherit system DBus file descriptors
    * Allow init to inherit fds from syslogd
    * Allow any domain to inherit fds from rpm-ostree
    * Update afterburn policy
    * Allow init_t nnp domain transition to abrtd_t
    * Rename all /var/lock file context entries to /run/lock
    * Rename all /var/run file context entries to /run
  - Add script varrun-convert.sh for locally existing modules
    to be able to cope with the /var/run -> /run change
  - Update embedded container-selinux to commit
    a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
* Thu Mar 21 2024 jsegitz@suse.com
  - Update to version 20240321:
    * policy module for kiwi (bsc#1221109)
    * dontaudit execmem for modemmanager (bsc#1219363)
* Wed Mar 13 2024 cathy.hu@suse.com
  - Update to version 20240313:
    * Assign alts_exec_t to files_type
* Fri Mar 08 2024 cathy.hu@suse.com
  - Update to version 20240308:
    * Support /bin/alts in the policy (bsc#1217530)
    * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
* Wed Mar 06 2024 cathy.hu@suse.com
  - Update to version 20240306:
    * Replace init domtrans rule for confined users to allow exec init
    * Update dbus_role_template() to allow user service status
    * Allow polkit status all systemd services
    * Allow setroubleshootd create and use inherited io_uring
    * Allow load_policy read and write generic ptys
* Mon Mar 04 2024 cathy.hu@suse.com
  - Update to version 20240304:
    * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
* Mon Feb 05 2024 cathy.hu@suse.com
  - Update to version 20240205:
    * Allow gpg manage rpm cache
    * Allow login_userdomain name_bind to howl and xmsg udp ports
    * Allow rules for confined users logged in plasma
    * Label /dev/iommu with iommu_device_t
    * Remove duplicate file context entries in /run
    * Dontaudit getty and plymouth the checkpoint_restore capability
    * Allow su domains write login records
    * Revert "Allow su domains write login records"
    * Allow login_userdomain delete session dbusd tmp socket files
    * Allow unix dgram sendto between exim processes
    * Allow su domains write login records
    * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
    * Allow chronyd-restricted read chronyd key files
    * Allow conntrackd_t to use bpf capability2
    * Allow systemd-networkd manage its runtime socket files
    * Allow init_t nnp domain transition to colord_t
    * Allow polkit status systemd services
    * nova: Fix duplicate declarations
    * Allow httpd work with PrivateTmp
    * Add interfaces for watching and reading ifconfig_var_run_t
    * Allow collectd read raw fixed disk device
    * Allow collectd read udev pid files
    * Set correct label on /etc/pki/pki-tomcat/kra
    * Allow systemd domains watch system dbus pid socket files
    * Allow certmonger read network sysctls
    * Allow mdadm list stratisd data directories
    * Allow syslog to run unconfined scripts conditionally
    * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
    * Allow qatlib set attributes of vfio device files
    * Allow systemd-sleep set attributes of efivarfs files
    * Allow samba-dcerpcd read public files
    * Allow spamd_update_t the sys_ptrace capability in user namespace
    * Allow bluetooth devices work with alsa
    * Allow alsa get attributes filesystems with extended attributes
    * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
    * Add interface for write-only access to NetworkManager rw conf
    * Allow systemd-sleep send a message to syslog over a unix dgram socket
    * Allow init create and use netlink netfilter socket
    * Allow qatlib load kernel modules
    * Allow qatlib run lspci
    * Allow qatlib manage its private runtime socket files
    * Allow qatlib read/write vfio devices
    * Label /etc/redis.conf with redis_conf_t
    * Remove the lockdown-class rules from the policy
    * Allow init read all non-security socket files
    * Replace redundant dnsmasq pattern macros
    * Remove unneeded symlink perms in dnsmasq.if
    * Add additions to dnsmasq interface
    * Allow nvme_stas_t create and use netlink kobject uevent socket
    * Allow collectd connect to statsd port
    * Allow keepalived_t to use sys_ptrace of cap_userns
    * Allow dovecot_auth_t connect to postgresql using UNIX socket
    * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
    * Allow sysadm execute traceroute in sysadm_t domain using sudo
    * Allow sysadm execute tcpdump in sysadm_t domain using sudo
    * Allow opafm search nfs directories
    * Add support for syslogd unconfined scripts
    * Allow gpsd use /dev/gnss devices
    * Allow gpg read rpm cache
    * Allow virtqemud additional permissions
    * Allow virtqemud manage its private lock files
    * Allow virtqemud use the io_uring api
    * Allow ddclient send e-mail notifications
    * Allow postfix_master_t map postfix data files
    * Allow init create and use vsock sockets
    * Allow thumb_t append to init unix domain stream sockets
    * Label /dev/vas with vas_device_t
    * Create interface selinux_watch_config and add it to SELinux users
    * Update cifs interfaces to include fs_search_auto_mountpoints()
    * Allow sudodomain read var auth files
    * Allow spamd_update_t read hardware state information
    * Allow virtnetworkd domain transition on tc command execution
    * Allow sendmail MTA connect to sendmail LDA
    * Allow auditd read all domains process state
    * Allow rsync read network sysctls
    * Add dhcpcd bpf capability to run bpf programs
    * Dontaudit systemd-hwdb dac_override capability
    * Allow systemd-sleep create efivarfs files
    * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
    * Allow graphical applications work in Wayland
    * Allow kdump work with PrivateTmp
    * Allow dovecot-auth work with PrivateTmp
    * Allow nfsd get attributes of all filesystems
    * Allow unconfined_domain_type use io_uring cmd on domain
    * ci: Only run Rawhide revdeps tests on the rawhide branch
    * Label /var/run/auditd.state as auditd_var_run_t
    * Allow fido-device-onboard (FDO) read the crack database
    * Allow ip an explicit domain transition to other domains
    * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
    * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
    * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
    * Allow ntp to bind and connect to ntske port.
* Tue Jan 16 2024 cathy.hu@suse.com
  - Update to version 20240116:
    * Fix gitolite homedir paths (bsc#1218826)
* Tue Jan 09 2024 cathy.hu@suse.com
  - Update to version 20240104:
    * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
    * allow rebootmgr to read the system state (bsc#1205931)
* Tue Nov 28 2023 Hu <cathy.hu@suse.com>
  - Trigger rebuild of the policy when pcre2 gets updated to avoid
    regex version mismatch errors (bsc#1216747).
* Fri Nov 24 2023 cathy.hu@suse.com
  - Update to version 20231124:
    * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
* Wed Nov 22 2023 Hu <cathy.hu@suse.com>
  - Add new modules that were missed in the last update to
    modules-mls-contrib.conf
* Wed Nov 22 2023 Hu <cathy.hu@suse.com>
  - Add new modules that were missed in the last update to
    modules-targeted-contrib.conf
* Mon Oct 30 2023 cathy.hu@suse.com
  - Update to version 20231030:
    * Allow system_mail_t manage exim spool files and dirs
    * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
    * Label /run/pcsd.socket with cluster_var_run_t
    * ci: Run cockpit tests in PRs
    * Add map_read map_write to kernel_prog_run_bpf
    * Allow systemd-fstab-generator read all symlinks
    * Allow systemd-fstab-generator the dac_override capability
    * Allow rpcbind read network sysctls
    * Support using systemd containers
    * Allow sysadm_t to connect to iscsid using a unix domain stream socket
    * Add policy for coreos installer
    * Add policy for nvme-stas
    * Confine systemd fstab,sysv,rc-local
    * Label /etc/aliases.lmdb with etc_aliases_t
    * Create policy for afterburn
    * Make new virt drivers permissive
    * Split virt policy, introduce virt_supplementary module
    * Allow apcupsd cgi scripts read /sys
    * Allow kernel_t to manage and relabel all files
    * Add missing optional_policy() to files_relabel_all_files()
    * Allow named and ndc use the io_uring api
    * Deprecate common_anon_inode_perms usage
    * Improve default file context(None) of /var/lib/authselect/backups
    * Allow udev_t to search all directories with a filesystem type
    * Implement proper anon_inode support
    * Allow targetd write to the syslog pid sock_file
    * Add ipa_pki_retrieve_key_exec() interface
    * Allow kdumpctl_t to list all directories with a filesystem type
    * Allow udev additional permissions
    * Allow udev load kernel module
    * Allow sysadm_t to mmap modules_object_t files
    * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
    * Set default file context of HOME_DIR/tmp/.* to <<none>>
    * Allow kernel_generic_helper_t to execute mount(1)
    * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
    * Allow systemd-localed create Xserver config dirs
    * Allow sssd read symlinks in /etc/sssd
    * Label /dev/gnss[0-9] with gnss_device_t
    * Allow systemd-sleep read/write efivarfs variables
    * ci: Fix version number of packit generated srpms
    * Dontaudit rhsmcertd write memory device
    * Allow ssh_agent_type create a sockfile in /run/user/USERID
    * Set default file context of /var/lib/authselect/backups to <<none>>
    * Allow prosody read network sysctls
    * Allow cupsd_t to use bpf capability
    * Allow sssd domain transition on passkey_child execution conditionally
    * Allow login_userdomain watch lnk_files in /usr
    * Allow login_userdomain watch video4linux devices
    * Change systemd-network-generator transition to include class file
    * Revert "Change file transition for systemd-network-generator"
    * Allow nm-dispatcher winbind plugin read/write samba var files
    * Allow systemd-networkd write to cgroup files
    * Allow kdump create and use its memfd: objects
    * Allow fedora-third-party get generic filesystem attributes
    * Allow sssd use usb devices conditionally
    * Update policy for qatlib
    * Allow ssh_agent_type manage generic cache home files
    * Change file transition for systemd-network-generator
    * Additional support for gnome-initial-setup
    * Update gnome-initial-setup policy for geoclue
    * Allow openconnect vpn open vhost net device
    * Allow cifs.upcall to connect to SSSD also through the /var/run socket
    * Grant cifs.upcall more required capabilities
    * Allow xenstored map xenfs files
    * Update policy for fdo
    * Allow keepalived watch var_run dirs
    * Allow svirt to rw /dev/udmabuf
    * Allow qatlib  to modify hardware state information.
    * Allow key.dns_resolve connect to avahi over a unix stream socket
    * Allow key.dns_resolve create and use unix datagram socket
    * Use quay.io as the container image source for CI
    * ci: Move srpm/rpm build to packit
    * .copr: Avoid subshell and changing directory
    * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
    * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
    * Make insights_client_t an unconfined domain
    * Allow insights-client manage user temporary files
    * Allow insights-client create all rpm logs with a correct label
    * Allow insights-client manage generic logs
    * Allow cloud_init create dhclient var files and init_t manage net_conf_t
    * Allow insights-client read and write cluster tmpfs files
    * Allow ipsec read nsfs files
    * Make tuned work with mls policy
    * Remove nsplugin_role from mozilla.if
    * allow mon_procd_t self:cap_userns sys_ptrace
    * Allow pdns name_bind and name_connect all ports
    * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
    * ci: Move to actions/checkout@v3 version
    * .copr: Replace chown call with standard workflow safe.directory setting
    * .copr: Enable `set -u` for robustness
    * .copr: Simplify root directory variable
    * Allow rhsmcertd dbus chat with policykit
    * Allow polkitd execute pkla-check-authorization with nnp transition
    * Allow user_u and staff_u get attributes of non-security dirs
    * Allow unconfined user filetrans chrome_sandbox_home_t
    * Allow svnserve execute postdrop with a transition
    * Do not make postfix_postdrop_t type an MTA executable file
    * Allow samba-dcerpc service manage samba tmp files
    * Add use_nfs_home_dirs boolean for mozilla_plugin
    * Fix labeling for no-stub-resolv.conf
    * Revert "Allow winbind-rpcd use its private tmp files"
    * Allow upsmon execute upsmon via a helper script
    * Allow openconnect vpn read/write inherited vhost net device
    * Allow winbind-rpcd use its private tmp files
    * Update samba-dcerpc policy for printing
    * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
    * Allow nscd watch system db dirs
    * Allow qatlib to read sssd public files
    * Allow fedora-third-party read /sys and proc
    * Allow systemd-gpt-generator mount a tmpfs filesystem
    * Allow journald write to cgroup files
    * Allow rpc.mountd read network sysctls
    * Allow blueman read the contents of the sysfs filesystem
    * Allow logrotate_t to map generic files in /etc
    * Boolean: Allow virt_qemu_ga create ssh directory
    * Allow systemd-network-generator send system log messages
    * Dontaudit the execute permission on sock_file globally
    * Allow fsadm_t the file mounton permission
    * Allow named and ndc the io_uring sqpoll permission
    * Allow sssd io_uring sqpoll permission
    * Fix location for /run/nsd
    * Allow qemu-ga get fixed disk devices attributes
    * Update bitlbee policy
    * Label /usr/sbin/sos with sosreport_exec_t
    * Update policy for the sblim-sfcb service
    * Add the files_getattr_non_auth_dirs() interface
    * Fix the CI to work with DNF5
    * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
    * Revert "Allow insights client map cache_home_t"
    * Allow nfsidmapd connect to systemd-machined over a unix socket
    * Allow snapperd connect to kernel over a unix domain stream socket
    * Allow virt_qemu_ga_t create .ssh dir with correct label
    * Allow targetd read network sysctls
    * Set the abrt_handle_event boolean to on
    * Permit kernel_t to change the user identity in object contexts
    * Allow insights client map cache_home_t
    * Label /usr/sbin/mariadbd with mysqld_exec_t
    * Allow httpd tcp connect to redis port conditionally
    * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
    * Dontaudit aide the execmem permission
    * Remove permissive from fdo
    * Allow sa-update manage spamc home files
    * Allow sa-update connect to systemlog services
    * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
    * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
    * Allow bootupd search EFI directory
    * Change init_audit_control default value to true
    * Allow nfsidmapd connect to systemd-userdbd with a unix socket
    * Add the qatlib  module
    * Add the fdo module
    * Add the bootupd module
    * Set default ports for keylime policy
    * Create policy for qatlib
    * Add policy for FIDO Device Onboard
    * Add policy for bootupd
    * Add support for kafs-dns requested by keyutils
    * Allow insights-client execmem
    * Add support for chronyd-restricted
    * Add init_explicit_domain() interface
    * Allow fsadm_t to get attributes of cgroup filesystems
    * Add list_dir_perms to kerberos_read_keytab
    * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
    * Allow sendmail manage its runtime files
* Thu Oct 12 2023 cathy.hu@suse.com
  - Update to version 20231012:
    * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
    * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
* Wed Oct 04 2023 Johannes Segitz <jsegitz@suse.com>
  - Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
    directory doesn't exist on SUSE systems (bsc#1213593)
* Tue Sep 19 2023 Johannes Segitz <jsegitz@suse.com>
  - Modified update.sh to require first parameter "full" to also
    update container-selinux. For maintenance updates you usually
    don't want it to be updated
* Fri Jul 28 2023 filippo.bonazzi@suse.com
  - Update to version 20230728:
    * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
    * allow haveged to manage tmpfs directories (bsc#1213594)
* Thu Jun 22 2023 jsegitz@suse.com
  - Update to version 20230622:
    * Allow keyutils_dns_resolver_exec_t be an entrypoint
    * Allow collectd_t read network state symlinks
    * Revert "Allow collectd_t read proc_net link files"
    * Allow nfsd_t to list exports_t dirs
    * Allow cupsd dbus chat with xdm
    * Allow haproxy read hardware state information
    * Label /dev/userfaultfd with userfaultfd_t
    * Allow blueman send general signals to unprivileged user domains
    * Allow dkim-milter domain transition to sendmail
* Tue Apr 25 2023 cathy.hu@suse.com
  - Update to version 20230425:
    * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
    * Add policy for wtmpdb (bsc#1210717)
* Tue Apr 25 2023 cathy.hu@suse.com
  - Update to version 20230425:
    * Add support for lastlog2 (bsc#1210461)
    * allow the chrony client to use unallocated ttys (bsc#1210672)
* Thu Apr 20 2023 jsegitz@suse.com
  - Update to version 20230420:
    * libzypp creates temporary files in /var/adm/mount. Label it with
      rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
    * only use rsync_exec_t for the rsync server, not for the client
      (bsc#1209890)
    * properly label sshd-gen-keys-start to ensure ssh host keys have proper
      labels after creation
    * Allow dovecot-deliver write to the main process runtime fifo files
    * Allow dmidecode write to cloud-init tmp files
    * Allow chronyd send a message to cloud-init over a datagram socket
    * Allow cloud-init domain transition to insights-client domain
    * Allow mongodb read filesystem sysctls
    * Allow mongodb read network sysctls
    * Allow accounts-daemon read generic systemd unit lnk files
    * Allow blueman watch generic device dirs
    * Allow nm-dispatcher tlp plugin create tlp dirs
    * Allow systemd-coredump mounton /usr
    * Allow rabbitmq to read network sysctls
    * Allow certmonger dbus chat with the cron system domain
    * Allow geoclue read network sysctls
    * Allow geoclue watch the /etc directory
    * Allow logwatch_mail_t read network sysctls
    * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
    * Allow insights-client read all sysctls
    * Allow passt manage qemu pid sock files
    * Allow sssd read accountsd fifo files
    * Add support for the passt_t domain
    * Allow virtd_t and svirt_t work with passt
    * Add new interfaces in the virt module
    * Add passt interfaces defined conditionally
    * Allow tshark the setsched capability
    * Allow poweroff create connections to system dbus
    * Allow wg load kernel modules, search debugfs dir
    * Boolean: allow qemu-ga manage ssh home directory
    * Label smtpd with sendmail_exec_t
    * Label msmtp and msmtpd with sendmail_exec_t
    * Allow dovecot to map files in /var/spool/dovecot
    * Confine gnome-initial-setup
    * Allow qemu-guest-agent create and use vsock socket
    * Allow login_pgm setcap permission
    * Allow chronyc read network sysctls
    * Enhancement of the /usr/sbin/request-key helper policy
    * Fix opencryptoki file names in /dev/shm
    * Allow system_cronjob_t transition to rpm_script_t
    * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
    * Add tunable to allow squid bind snmp port
    * Allow staff_t getattr init pid chr & blk files and read krb5
    * Allow firewalld to rw z90crypt device
    * Allow httpd work with tokens in /dev/shm
    * Allow svirt to map svirt_image_t char files
    * Allow sysadm_t run initrc_t script and sysadm_r role access
    * Allow insights-client manage fsadm pid files
    * Allowing snapper to create snapshots of /home/ subvolume/partition
    * Add boolean qemu-ga to run unconfined script
    * Label systemd-journald feature LogNamespace
    * Add none file context for polyinstantiated tmp dirs
    * Allow certmonger read the contents of the sysfs filesystem
    * Add journalctl the sys_resource capability
    * Allow nm-dispatcher plugins read generic files in /proc
* Tue Mar 28 2023 Hu <cathy.hu@suse.com>
  - Add debug-build.sh script to make debugging without committing easier
* Tue Mar 21 2023 jsegitz@suse.com
  - Update to version 20230321:
    * make kernel_t unconfined again
* Thu Mar 16 2023 jsegitz@suse.com
  - Update to version 20230316:
    * prevent labeling of overlayfs filesystems based on the /var/lib/overlay
      path
    * allow kernel_t to relabel etc_t files
    * allow kernel_t to relabel sysnet config files
    * allow kernel_t to relabel systemd hwdb etc files
    * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
    * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
      to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
      management of config files
    * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
      interfaces to allow labeling on etc_t, not on the broader configfiles
      attribute
    * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
      watch permissions reported are already fixed in a current policy.
  - Reinstate update.sh and remove container-selinux from the service.
    Having both repos in there causes issues and update.sh makes the update
    process easier in general. Updated README.Update
* Tue Mar 07 2023 Johannes Segitz <jsegitz@suse.com>
  - Remove erroneous SUSE man page. Will not be created with the
    3.5 toolchain
* Tue Feb 14 2023 Hu <cathy.hu@suse.com>
  - Complete packaging rework: Move policy to git repository and
    only use tar_scm obs service to refresh from there:
    https://gitlab.suse.de/selinux/selinux-policy
    Please use `osc service manualrun` to update this OBS package to the
    newest git version.
    * Added README.Update describing how to update this package
    * Added _service file that pulls from selinux-policy and
      upstream container-selinux and tars them
    * Adapted selinux-policy.spec to build selinux-policy with
      container-selinux
    * Removed update.sh as no longer needed
    * Removed suse specific modules as they are now covered by git commits
    * packagekit.te packagekit.if packagekit.fc
    * rebootmgr.te rebootmgr.if rebootmgr.fc
    * rtorrent.te rtorrent.if rtorrent.fc
    * wicked.te wicked.if wicked.fc
    * Removed *.patch as they are now covered by git commits:
    * distro_suse_to_distro_redhat.patch
    * dontaudit_interface_kmod_tmpfs.patch
    * fix_accountsd.patch
    * fix_alsa.patch
    * fix_apache.patch
    * fix_auditd.patch
    * fix_authlogin.patch
    * fix_automount.patch
    * fix_bitlbee.patch
    * fix_chronyd.patch
    * fix_cloudform.patch
    * fix_colord.patch
    * fix_corecommand.patch
    * fix_cron.patch
    * fix_dbus.patch
    * fix_djbdns.patch
    * fix_dnsmasq.patch
    * fix_dovecot.patch
    * fix_entropyd.patch
    * fix_firewalld.patch
    * fix_fwupd.patch
    * fix_geoclue.patch
    * fix_hypervkvp.patch
    * fix_init.patch
    * fix_ipsec.patch
    * fix_iptables.patch
    * fix_irqbalance.patch
    * fix_java.patch
    * fix_kernel.patch
    * fix_kernel_sysctl.patch
    * fix_libraries.patch
    * fix_locallogin.patch
    * fix_logging.patch
    * fix_logrotate.patch
    * fix_mcelog.patch
    * fix_miscfiles.patch
    * fix_nagios.patch
    * fix_networkmanager.patch
    * fix_nis.patch
    * fix_nscd.patch
    * fix_ntp.patch
    * fix_openvpn.patch
    * fix_postfix.patch
    * fix_rpm.patch
    * fix_rtkit.patch
    * fix_screen.patch
    * fix_selinuxutil.patch
    * fix_sendmail.patch
    * fix_smartmon.patch
    * fix_snapper.patch
    * fix_sslh.patch
    * fix_sysnetwork.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_thunderbird.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_userdomain.patch
    * fix_usermanage.patch
    * fix_wine.patch
    * fix_xserver.patch
    * sedoctool.patch
    * systemd_domain_dyntrans_type.patch
* Mon Feb 06 2023 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20230206. Refreshed:
    * fix_entropyd.patch
    * fix_networkmanager.patch
    * fix_systemd_watch.patch
    * fix_unconfineduser.patch
  - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
    necessary as plymouth doesn't run in it's own domain in early boot
* Mon Jan 16 2023 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20230125. Refreshed:
    * distro_suse_to_distro_redhat.patch
    * fix_dnsmasq.patch
    * fix_init.patch
    * fix_ipsec.patch
    * fix_kernel_sysctl.patch
    * fix_logging.patch
    * fix_rpm.patch
    * fix_selinuxutil.patch
    * fix_systemd_watch.patch
    * fix_userdomain.patch
  - More flexible lib(exec) matching in fix_fwupd.patch
  - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
  - Dropped fix_container.patch, is now upstream
  - Added fix_entropyd.patch
    * Added new interface entropyd_semaphore_filetrans to properly transfer
      semaphore created during early boot. That doesn't work yet, so work
      around with next item
    * Allow reading tempfs files
  - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
    to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
  - Added fix_rtkit.patch to fix labeling of binary
  - Modified fix_ntp.patch:
    * Proper labeling for start-ntpd
    * Fixed label rules for chroot path
    * Temporarily allow dac_override for ntpd_t (bsc#1207577)
    * Add interface ntp_manage_pid_files to allow management of pid
      files
  - Updated fix_networkmanager.patch to allow managing ntp pid files
* Thu Jan 12 2023 Johannes Segitz <jsegitz@suse.com>
  - Update fix_container.patch to allow privileged containers to use
    localectl (bsc#1207077)
* Wed Jan 11 2023 Johannes Segitz <jsegitz@suse.com>
  - Add fix_container.patch to allow privileged containers to use
    timedatectl (bsc#1207054)
* Thu Dec 15 2022 Hu <cathy.hu@suse.com>
  - Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
    (bnc#1206445)
* Wed Dec 14 2022 Hu <cathy.hu@suse.com>
  - Added policy for wicked scripts under /etc/sysconfig/network/scripts
    (bnc#1205770)
* Wed Dec 14 2022 Johannes Segitz <jsegitz@suse.com>
  - Add fix_sendmail.patch
    * fix context of custom sendmail startup helper
    * fix context of /var/run/sendmail and add necessary rules to manage
      content in there
* Tue Dec 13 2022 Johannes Segitz <jsegitz@suse.com>
  - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
    nm-priv-helper until the packaging is adjusted (bsc#1206355)
  - Update fix_chronyd.patch to allow  sendto towards
    NetworkManager_dispatcher_custom_t. Added new interface
    networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
  - Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
* Tue Dec 06 2022 Johannes Segitz <jsegitz@suse.com>
  - Updated fix_networkmanager.patch to allow NetworkManager to watch
    net_conf_t (bsc#1206109)
* Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
  - Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
* Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
  - Drop fix_irqbalance.patch: superseded by upstream
* Thu Nov 24 2022 Hu <cathy.hu@suse.com>
  - fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
    network interface definition instead of /etc/sysconfig/network-scripts/,
    modified sysnetwork.fc to reflect that (bsc#1205580).
* Wed Oct 19 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20221019. Refreshed:
    * distro_suse_to_distro_redhat.patch
    * fix_apache.patch
    * fix_chronyd.patch
    * fix_cron.patch
    * fix_init.patch
    * fix_kernel_sysctl.patch
    * fix_networkmanager.patch
    * fix_rpm.patch
    * fix_sysnetwork.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_xserver.patch
  - Dropped fix_cockpit.patch as this is now packaged with cockpit itself
  - Remove the ipa module, freeip ships their own module
  - Added fix_alsa.patch to allow reading of config files in home directories
  - Extended fix_networkmanager.patch and fix_postfix.patch to account
    for SUSE systems
  - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
    queries the running processes
  - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
* Fri Sep 30 2022 Johannes Segitz <jsegitz@suse.com>
  - Updated quilt couldn't unpack tarball. This will cause ongoing issues
    so drop the sed statement in the %prep section and add
    distro_suse_to_distro_redhat.patch to add the necessary changes
    via a patch
* Thu Sep 29 2022 Johannes Segitz <jsegitz@suse.com>
  - Update fix_networkmanager.patch to ensure NetworkManager chrony
    dispatcher is properly labled and update fix_chronyd.patch to ensure
    chrony helper script has proper label to be used by NetworkManager.
    Also allow NetworkManager_dispatcher_custom_t to query systemd status
    (bsc#1203824)
* Tue Sep 27 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
  - Update fix_xserver.patch to add greetd support (bsc#1198559)
* Mon Sep 12 2022 Johannes Segitz <jsegitz@suse.com>
  - Revamped rtorrent module
* Fri Aug 26 2022 Thorsten Kukuk <kukuk@suse.com>
  - Move SUSE directory from manual page section to html docu
* Wed Jul 27 2022 Hu <cathy.hu@suse.com>
  - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t
    and NetworkManager_dispatcher_custom_t to access nscd socket
    (bsc#1201741)
* Tue Jul 26 2022 Zdenek Kubala <zkubala@suse.com>
  - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper
    (bnc#1201015)
* Thu Jul 14 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20220714. Refreshed:
    * fix_init.patch
    * fix_systemd_watch.patch
* Wed Jul 13 2022 Johannes Segitz <jsegitz@suse.com>
  - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
    systemd_gpt_generator_t (bsc#1200911)
* Mon Jul 11 2022 Johannes Segitz <jsegitz@suse.com>
  - postfix: Label PID files and some helpers correctly (bsc#1197242)
* Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com>
  - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
* Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20220624. Refreshed:
    * fix_init.patch
    * fix_kernel_sysctl.patch
    * fix_logging.patch
    * fix_networkmanager.patch
    * fix_unprivuser.patch
    Dropped fix_hadoop.patch, not necessary anymore
    * Updated fix_locallogin.patch to allow accesses for nss-systemd
    (bsc#1199630)
* Fri May 20 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20220520 to pass stricter 3.4 toolchain checks
* Fri May 20 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20220428. Refreshed:
    * fix_apache.patch
    * fix_hadoop.patch
    * fix_init.patch
    * fix_iptables.patch
    * fix_kernel_sysctl.patch
    * fix_networkmanager.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_unprivuser.patch
    * fix_usermanage.patch
    * fix_wine.patch
* Thu May 19 2022 Johannes Segitz <jsegitz@suse.com>
  - Add fix_dnsmasq.patch to fix problems with virtualization on Microos
    (bsc#1199518)
* Tue May 03 2022 Johannes Segitz <jsegitz@suse.com>
  - Modified fix_init.patch to allow init to setup contrained environment
    for accountsservice. This needs a better, more general solution
    (bsc#1197610)
* Mon May 02 2022 Johannes Segitz <jsegitz@suse.com>
  - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
    This happens in certain boot conditions (bsc#1182500)
  - Changed fix_unconfineduser.patch to not transition into ldconfig_t
    from unconfined_t (bsc#1197169)
* Thu Feb 17 2022 Klaus Kämpf <kkaempf@suse.com>
  - use %license tag for COPYING file
* Thu Feb 10 2022 Johannes Segitz <jsegitz@suse.com>
  - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
* Wed Feb 09 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
  - Fix bitlbee runtime directory (bsc#1193230)
    * add fix_bitlbee.patch
* Mon Jan 24 2022 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20220124. Refreshed:
    * fix_hadoop.patch
    * fix_init.patch
    * fix_kernel_sysctl.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
  - Added fix_hypervkvp.patch to fix issues with hyperv labeling
    (bsc#1193987)
* Fri Jan 14 2022 Johannes Segitz <jsegitz@suse.com>
  - Allow colord to use systemd hardenings (bsc#1194631)
* Thu Nov 11 2021 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20211111. Refreshed:
    * fix_dbus.patch
    * fix_systemd.patch
    * fix_authlogin.patch
    * fix_auditd.patch
    * fix_kernel_sysctl.patch
    * fix_networkmanager.patch
    * fix_chronyd.patch
    * fix_unconfineduser.patch
    * fix_unconfined.patch
    * fix_firewalld.patch
    * fix_init.patch
    * fix_xserver.patch
    * fix_logging.patch
    * fix_hadoop.patch
* Mon Oct 25 2021 Marcus Meissner <meissner@suse.com>
  - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
* Tue Sep 28 2021 Enzo Matsumiya <ematsumiya@suse.com>
  - Fix auditd service start with systemd hardening directives (boo#1190918)
    * add fix_auditd.patch
* Thu Sep 02 2021 Johannes Segitz <jsegitz@suse.com>
  - Modified fix_systemd.patch to allow systemd gpt generator access to
    udev files (bsc#1189280)
* Fri Aug 27 2021 Ales Kedroutek <ales.kedroutek@suse.com>
  - fix rebootmgr does not trigger the reboot properly (boo#1189878)
    * fix managing /etc/rebootmgr.conf
    * allow rebootmgr_t to cope with systemd and dbus messaging
* Thu Aug 26 2021 Johannes Segitz <jsegitz@suse.com>
  - Properly label cockpit files
  - Allow wicked to communicate with network manager on DBUS (bsc#1188331)
* Mon Aug 23 2021 Ales Kedroutek <ales.kedroutek@suse.com>
  - Added policy module for rebootmgr (jsc#SMO-28)
* Tue Aug 17 2021 Ludwig Nussel <lnussel@suse.de>
  - Allow systemd-sysctl to read kernel specific sysctl.conf
    (fix_kernel_sysctl.patch, boo#1184804)
* Tue Aug 10 2021 Ludwig Nussel <lnussel@suse.de>
  - Fix quoting in postInstall macro
* Fri Jul 16 2021 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20210716
  - Remove interfaces for container module before building the package
    (bsc#1188184)
  - Updated
    * fix_init.patch
    * fix_systemd_watch.patch
    to adapt to upstream changes
* Thu Jul 15 2021 Callum Farmer <gmbr3@opensuse.org>
  - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
    here
* Tue Jul 06 2021 Alberto Planas Dominguez <aplanas@suse.com>
  - Add tabrmd SELinux modules from upstream (bsc#1187925)
    https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
  - Automatic spec-cleaner to fix ordering and misaligned spaces
* Mon Jun 28 2021 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20210419
  - Dropped fix_gift.patch, module was removed
  - Updated wicked.te to removed dropped interface
  - Refreshed:
    * fix_cockpit.patch
    * fix_hadoop.patch
    * fix_init.patch
    * fix_logging.patch
    * fix_logrotate.patch
    * fix_networkmanager.patch
    * fix_nscd.patch
    * fix_rpm.patch
    * fix_selinuxutil.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_thunderbird.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_xserver.patch
* Tue May 18 2021 Ludwig Nussel <lnussel@suse.de>
  - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
    that trigger on changes in those.
    Added fix_systemd_watch.patch
  - own /usr/share/selinux/packages/$SELINUXTYPE/ and
    /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
    files there
* Wed Apr 28 2021 Ludwig Nussel <lnussel@suse.de>
  - allow cockpit socket to bind nodes (fix_cockpit.patch)
  - use %autosetup to get rid of endless patch lines
* Tue Apr 27 2021 Johannes Segitz <jsegitz@suse.com>
  - Updated fix_networkmanager.patch to allow NetworkManager to watch
    its configuration directories
  - Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
* Mon Apr 26 2021 Johannes Segitz <jsegitz@suse.com>
  - Added Recommends for selinux-autorelabel (bsc#1181837)
  - Prevent libreoffice fonts from changing types on every relabel
    (bsc#1185265). Added fix_libraries.patch
* Fri Apr 23 2021 Johannes Segitz <jsegitz@suse.com>
  - Transition unconfined users to ldconfig type (bsc#1183121).
    Extended fix_unconfineduser.patch
* Mon Apr 19 2021 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20210419
  - Refreshed:
    * fix_dbus.patch
    * fix_hadoop.patch
    * fix_init.patch
    * fix_unprivuser.patch
* Fri Mar 12 2021 Ales Kedroutek <ales.kedroutek@suse.com>
  - Adjust fix_init.patch to allow systemd to do sd-listen on
    tcp socket [bsc#1183177]
* Tue Mar 09 2021 Johannes Segitz <jsegitz@suse.com>
  - Update to version 20210309
  - Refreshed
    * fix_systemd.patch
    * fix_selinuxutil.patch
    * fix_iptables.patch
    * fix_init.patch
    * fix_logging.patch
    * fix_nscd.patch
    * fix_hadoop.patch
    * fix_unconfineduser.patch
    * fix_chronyd.patch
    * fix_networkmanager.patch
    * fix_cron.patch
    * fix_usermanage.patch
    * fix_unprivuser.patch
    * fix_rpm.patch
  - Ensure that /usr/etc is labeled according to /etc rules
* Tue Feb 23 2021 Thorsten Kukuk <kukuk@suse.com>
  - Update to version 20210223
  - Change name of tar file to a more common schema to allow
    parallel installation of several source versions
  - Adjust fix_init.patch
* Mon Jan 11 2021 Thorsten Kukuk <kukuk@suse.com>
  - Update to version 20210111
    - Drop fix_policykit.patch (integrated upstream)
    - Adjust fix_iptables.patch
    - update container policy

Files

/etc/selinux
/etc/selinux/config
/usr/lib/rpm/macros.d/macros.selinux-policy
/usr/lib/tmpfiles.d/selinux-policy.conf
/usr/share/licenses/selinux-policy
/usr/share/licenses/selinux-policy/COPYING
/usr/share/selinux
/usr/share/selinux/packages


Generated by rpm2html 1.8.1

Fabrice Bellet, Wed Sep 11 00:07:27 2024