-
Wed Nov 04 2020 EL Errata <el-errata_ww@oracle.com> - 3.14.3-54.0.1
- Make lsmd, rngd, and kdumpctl work with mls policy [Orabug: 31405378]
- Allow virt_domain to mmap virt_content_t files [Orabug: 30932671] (Naoki Tanaka)
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection [Orabug: 30537515]
- Enable policykit and sssd policy modules with minimum policy [Orabug: 29744511] (Naoki Tanaka)
- Allow cloud_init_t to dbus chat with systemd_logind_t [Orabug: 29399653]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Obsolete docker-engine-selinux [Orabug: 26439663]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.
-
Thu Sep 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54
- Allow plymouth sys_chroot capability
Resolves: rhbz#1869814
-
Sun Aug 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-53
- Allow certmonger fowner capability
Resolves: rhbz#1870596
- Define named file transition for saslauthd on /tmp/krb5_0.rcache2
Resolves: rhbz#1870300
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
Resolves: rhbz#1867115
-
Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-52
- Add ipa_helper_noatsecure() interface unconditionally
Resolves: rhbz#1853432
- Conditionally allow nagios_plugin_domain dbus chat with init
Resolves: rhbz#1750821
- Revert "Update allow rules set for nrpe_t domain"
Resolves: rhbz#1750821
- Add ipa_helper_noatsecure() interface to ipa.if
Resolves: rhbz#1853432
- Allow tomcat map user temporary files
Resolves: rhbz#1857675
- Allow tomcat manage user temporary files
Resolves: rhbz#1857675
- Add file context for /sys/kernel/tracing
Resolves: rhbz#1847331
- Define named file transition for sshd on /tmp/krb5_0.rcache2
Resolves: rhbz#1848953
-
Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-51
- Allow kadmind manage kerberos host rcache
Resolves: rhbz#1863043
- Allow virtlockd only getattr and lock block devices
Resolves: rhbz#1832756
- Allow qemu-ga read all non security file types conditionally
Resolves: rhbz#1747960
- Allow virtlockd manage VMs posix file locks
Resolves: rhbz#1832756
- Add dev_lock_all_blk_files() interface
Resolves: rhbz#1832756
- Allow systemd-logind dbus chat with fwupd
Resolves: rhbz#1851932
- Update xserver_rw_session macro
Resolves: rhbz#1851448
-
Wed Jul 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-50
- Revert "Allow qemu-kvm read and write /dev/mapper/control"
This reverts commit f948eaf3d010215fc912e42013e4f88870279093.
- Allow smbd get attributes of device files labeled samba_share_t
Resolves: rhbz#1851816
- Allow tomcat read user temporary files
Resolves: rhbz#1857675
- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
Resolves: rhbz#1815281
- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
Resolves: rhbz#1848953
- Allow auditd manage kerberos host rcache files
Resolves: rhbz#1855770
-
Thu Jul 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-49
- Additional support for keepalived running in a namespace
Resolves: rhbz#1815281
- Allow keepalived manage its private type runtime directories
Resolves: rhbz#1815281
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
Resolves: rhbz#1853432
- Allow oddjob_t process noatsecure permission for ipa_helper_t
Resolves: rhbz#1853432
- Allow domain dbus chat with systemd-resolved
Resolves: rhbz#1852378
- Define file context for /var/run/netns directory only
Related: rhbz#1815281
-
Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-48
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
Resolves: rhbz#1836820
-
Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-47
- Allow virtlogd_t manage virt lib files
Resolves: rhbz#1832756
- Allow pdns server to read system state
Resolves: rhbz#1801214
- Support systemctl --user in machinectl
Resolves: rhbz#1788616
- Allow chkpwd_t read and write systemd-machined devpts character nodes
Resolves: rhbz#1788616
- Allow init_t write to inherited systemd-logind sessions pipes
Resolves: rhbz#1788616
- Label systemd-growfs and systemd-makefs as fsadm_exec_t
Resolves: rhbz#1820798
- Allow staff_u and user_u setattr generic usb devices
Resolves: rhbz#1783325
- Allow sysadm_t dbus chat with accountsd
Resolves: rhbz#1828809
-
Tue Jun 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-46
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
Related: rhbz#1826748
- Allow journalctl process set its resource limits
Resolves: rhbz#1825894
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
Resolves: rhbz#1802062
- Make keepalived work with network namespaces
Resolves: rhbz#1815281
- Create sssd_connect_all_unreserved_ports boolean
Resolves: rhbz#1826748
- Allow hypervkvpd to request kernel to load a module
Resolves: rhbz#1842414
- Allow systemd_private_tmp(dirsrv_tmp_t)
Resolves: rhbz#1836820
- Allow radiusd connect to gssproxy over unix domain stream socket
Resolves: rhbz#1813572
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
Resolves: rhbz#1832231
- Modify kernel_rw_key() not to include append permission
Related: rhbz#1802062
- Add kernel_rw_key() interface to access to kernel keyrings
Related: rhbz#1802062
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
Resolves: rhbz#1836820
- Allow systemd-modules to load kernel modules
Resolves: rhbz#1823246
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
Resolves: rhbz#1814796