-
Tue Apr 30 2024 Pooja Senthil Kumar <pooja.senthil.kumar@oracle.com> - 38.1.35-2.0.1
- Allow exim_t to read exim_log_t and manage exim_spool_t link files [Orabug: 36430005]
- Allow cgred_t to get attributes of cgroup filesystems [Orabug: 36176655]
- Allow kdumpctl_t to execmem [Orabug: 35381156]
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition [Orabug: 35091334]
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files [Orabug: 35122619]
- Label /var/log/kdump.log with kdump_log_t [Orabug: 33810371]
- Allow rpm_t sys_admin capability [Orabug: 34250651]
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files [Orabug: 33841245]
- Allow nfsd_t to list exports_t dirs [Orabug: 33844301]
- Allow fsadm_t to get attributes of cgroup filesystems [Orabug: 33841268]
- Allow tuned_t to read the process state of all domains [Orabug: 33520684]
- Make import-state work with mls policy [Orabug: 32636699]
- Add map permission to lvm_t on lvm_metadata_t. [Orabug: 31405325]
- Add comment for map on lvm_metadata_t. [Orabug: 31405325]
- Make iscsiadm work with mls policy [Orabug: 32725411]
- Make cloud-init work with mls policy [Orabug: 32430460]
- Allow systemd-pstore to transfer files from /sys/fs/pstore [Orabug: 31594666]
- Make smartd work with mls policy [Orabug: 32430379]
- Allow sysadm_t to mmap modules_object_t files [Orabug: 32411855]
- Allow tuned_t to execute systemd_systemctl_exec_t files [Orabug: 32355342]
- Make udev work with mls policy [Orabug: 31405299]
- Make tuned work with mls policy [Orabug: 31396024]
- Make lsmd, rngd, and kdumpctl work with mls policy [Orabug: 31405378]
- Allow virt_domain to mmap virt_content_t files [Orabug: 30932671]
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection [Orabug: 30537515]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type. [Orabug: 13333429]
-
Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2
- Rebuild
Resolves: RHEL-26663
-
Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1
- Allow wdmd read hardware state information
Resolves: RHEL-26663
-
Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1
- Allow wdmd list the contents of the sysfs directories
Resolves: RHEL-26663
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
Resolves: RHEL-26660
-
Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1
- Allow thumb_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-26073
- Allow opafm create NFS files and directories
Resolves: RHEL-17820
- Label /tmp/libdnf.* with user_tmp_t
Resolves: RHEL-11250
-
Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-21635
- Allow xdm_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-24841
- Allow unix dgram sendto between exim processes
Resolves: RHEL-21902
- Allow utempter_t use ptmx
Resolves: RHEL-24946
- Only allow confined user domains to login locally without unconfined_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_confined_admin_users interface
Resolves: RHEL-1551
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_admin_users interface
Resolves: RHEL-1551
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
Resolves: RHEL-1551
-
Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1
- Allow chronyd-restricted read chronyd key files
Resolves: RHEL-18219
- Allow conntrackd_t to use bpf capability2
Resolves: RHEL-22277
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
Resolves: RHEL-14735
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
Resolves: RHEL-14505
- Add interface for write-only access to NetworkManager rw conf
Resolves: RHEL-14505
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
Resolves: RHEL-11792
-
Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1
- Allow sysadm execute traceroute in sysadm_t domain using sudo
Resolves: RHEL-14077
- Allow qatlib set attributes of vfio device files
Resolves: RHEL-19051
- Allow qatlib load kernel modules
Resolves: RHEL-19051
- Allow qatlib run lspci
Resolves: RHEL-19051
- Allow qatlib manage its private runtime socket files
Resolves: RHEL-19051
- Allow qatlib read/write vfio devices
Resolves: RHEL-19051
- Allow syslog to run unconfined scripts conditionally
Resolves: RHEL-11174
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
Resolves: RHEL-11174
- Allow sendmail MTA connect to sendmail LDA
Resolves: RHEL-15175
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
Resolves: RHEL-15432
- Allow opafm search nfs directories
Resolves: RHEL-17820
- Allow mdadm list stratisd data directories
Resolves: RHEL-19276
- Update cyrus_stream_connect() to use sockets in /run
Resolves: RHEL-19282
- Allow collectd connect to statsd port
Resolves: RHEL-21044
- Allow insights-client transition to sap unconfined domain
Resolves: RHEL-21452
- Create the sap module
Resolves: RHEL-21452
-
Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1
- Add init_explicit_domain() interface
Resolves: RHEL-18219
- Allow dovecot_auth_t connect to postgresql using UNIX socket
Resolves: RHEL-16850
- Allow keepalived_t to use sys_ptrace of cap_userns
Resolves: RHEL-17156
- Make `bootc` be `install_exec_t`
Resolves: RHEL-19199
- Add support for chronyd-restricted
Resolves: RHEL-18219
- Label /dev/vas with vas_device_t
Resolves: RHEL-17336
- Allow gpsd use /dev/gnss devices
Resolves: RHEL-16676
- Allow sendmail manage its runtime files
Resolves: RHEL-15175
- Add support for syslogd unconfined scripts
Resolves: RHEL-11174
-
Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1
- Create interface selinux_watch_config and add it to SELinux users
Resolves: RHEL-1555
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
Resolves: RHEL-16273
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
Resolves: RHEL-16273
- Allow winbind-rpcd make a TCP connection to the ldap port
Resolves: RHEL-16273
- Allow sudodomain read var auth files
Resolves: RHEL-16708
- Allow auditd read all domains process state
Resolves: RHEL-14285
- Allow rsync read network sysctls
Resolves: RHEL-14638
- Add dhcpcd bpf capability to run bpf programs
Resolves: RHEL-15326
- Allow systemd-localed create Xserver config dirs
Resolves: RHEL-16716
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Resolves: RHEL-1553
- Update sendmail policy module for opensmtpd
Resolves: RHEL-15175