[ol8_u1_baseos_base] selinux-policy-3.14.3-20.0.1.el8.noarch

Name:	selinux-policy
Version:	3.14.3
Release:	20.0.1.el8
Architecture:	noarch
Group:	Unspecified
Size:	24923
License:	GPLv2+
RPM:	selinux-policy-3.14.3-20.0.1.el8.noarch.rpm
Source RPM:	selinux-policy-3.14.3-20.0.1.el8.src.rpm
Build Date:	Sun Nov 10 2019
Build Host:	jenkins-10-147-72-125-5175330d-7169-4500-9dab-ee68de92c90a.appad1iad.osdevelopmeniad.oraclevcn.com
Vendor:	Oracle America
URL:	https://github.com/fedora-selinux/selinux-policy
Summary:	SELinux policy configuration
Description:	SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117

Changelog (Show File list) (Show related packages)

Sun Oct 06 2019 Natalya Naumova <natalya.naumova@oracle.com> - 3.14.3-20.0.1

- Enable policykit and sssd policy modules with minimum policy [Orabug: 29744511] (Naoki Tanaka)
- Allow init_t to relabel all lock files [Orabug: 29846265] (Naoki Tanaka)
- Allow cloud_init_t to dbus chat with systemd_logind_t [Orabug: 29399653]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Obsolete docker-engine-selinux [Orabug: 26439663]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.

Mon Sep 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20

- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
Resolves: rhbz#1720639

Fri Aug 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
```
- Update cpucontrol_t SELinux policy
Resolves: rhbz#1743930
```

Mon Aug 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18

- Allow dlm_controld_t domain to transition to the lvm_t
Resolves: rhbz#1732956

Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17

- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
Resolves: rhbz#1669485
- Fix typo in networkmanager_append_log() interface
Resolves: rhbz#1687460
- Update gpg policy to make ti working with confined users
Resolves: rhbz#1640296

Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16

- Allow audisp_remote_t domain to read kerberos keytab
Resolves: rhbz#1740146

Mon Aug 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15

- Dontaudit abrt_t domain to read root_t files
Resolves: rhbz#1734403
- Allow ipa_dnskey_t domain to read kerberos keytab
Resolves: rhbz#1730144
- Update ibacm_t policy
- Allow dlm_controld_t domain setgid capability
Resolves: rhbz#1738608
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
Resolves: rhbz#1740146
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
Resolves: rhbz#1670139

Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14

- Allow cgdcbxd_t domain to list cgroup dirs
Resolves: rhbz#1651991

Mon Jul 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13

- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab
Resolves: rhbz#1730144
- Allow virtlockd process read virtlockd.conf file
Resolves: rhbz#1733185
- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
Resolves: rhbz#1733185
- Allow brltty to request to load kernel module
Resolves: rhbz#1689955
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
Resolves: rhbz#1729955
- Dontaudit svirt_tcg_t domain to read process state of libvirt
Resolves: rhbz#1732500
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
Resolves: rhbz#1732381
- Allow cyrus work with PrivateTmp
Resolves: rhbz#1725023
- Make cgdcbxd_t domain working with SELinux enforcing.
Resolves: rhbz#1651991
- Remove system_r role from staff_u user.
Resolves: rhbz#1677052
- Add systemd_private_tmp_type attribute
Resolves: rhbz#1725023
- Allow systemd to load kernel modules during boot process.
Resolves: rhbz#1644805

Fri Jul 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12

- Make working wireshark execute byt confined users staff_t and sysadm_t
Resolves: rhbz#1712788
- Label user cron spool file with user_cron_spool_t
Resolves: rhbz#1727342
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
Resolves: rhbz#1668667
- Update svnserve_t policy to make working svnserve hooks
Resolves: rhbz#1729955
- Allow varnishlog_t domain to check for presence of varnishd_t domains
Resolves: rhbz#1730270
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
Resolves: rhbz#1720648
- Update sandboxX policy to make working firefox inside SELinux sandbox
Resolves: rhbz#1663874
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
Resolves: rhbz#1695248
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
Resolves: rhbz#1690484
- Allow opafm_t domain to modify scheduling information of another process.
Resolves: rhbz#1725874
- Allow gssd_t domain to list tmpfs_t dirs
Resolves: rhbz#1674470
- Allow mdadm_t domain to read tmpfs_t files
Resolves: rhbz#1669996
- Allow sbd_t domain to check presence of processes labeled as cluster_t
Resolves: rhbz#1669595
- Dontaudit httpd_sys_script_t to read systemd unit files
Resolves: rhbz#1670139
- Allow blkmapd_t domain to read nvme devices
Resolves: rhbz#1669985
- Update cpucontrol_t domain to make working microcode service
Resolves: rhbz#1669485
- Allow domain transition from logwatch_t do postfix_postqueue_t
Resolves: rhbz#1669162
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
Resolves: rhbz#1696252
- Allow httpd_sys_script_t domain to mmap httpdcontent
Resolves: rhbz#1693137
- Allow sbd_t to manage cgroups_t files
Resolves: rhbz#1715134
- Update wireshark policy to make working tshar labeled as wireshark_t
Resolves: rhbz#1711005
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
Resolves: rhbz#1719083
- Allow sbd_t domain to use nsswitch
Resolves: rhbz#1723498
- Allow sysadm_t and staff_t domains to read wireshark shared memory
Resolves: rhbz#1712788
- Label /usr/libexec/utempter/utempter  as utemper_exec_t
Resolves: rhbz#1729571
- Allow unconfined_domain_type to setattr own process lnk files.
Resolves: rhbz#1730500
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
Resolves: rhbz#1689797
- Allow staff and admin domains to setpcap in user namespace
Resolves: rhbz#1673922
- Allow staff and sysadm to use lockdev
Resolves: rhbz#1673269
- Allow staff and sysadm users to run iotop.
Resolves: rhbz#1671241
- Dontaudit traceroute_t domain require sys_admin capability
Resolves: rhbz#1671672
- Dontaudit dbus chat between kernel_t and init_t
Resolves: rhbz#1669095
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
Resolves: rhbz#1696144