- Update to version 20240411:
* Remove duplicate in sysnetwork.fc
* Rename /var/run/wicked* to /run/wicked*
* Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
* policy: support pidfs
* Confine selinux-autorelabel-generator.sh
* Allow logwatch_mail_t read/write to init over a unix stream socket
* Allow logwatch read logind sessions files
* files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
* files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
* Allow NetworkManager the sys_ptrace capability in user namespace
* dontaudit execmem for modemmanager
* Allow dhcpcd use unix_stream_socket
* Allow dhcpc read /run/netns files
* Update mmap_rw_file_perms to include the lock permission
* Allow plymouthd log during shutdown
* Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
* Allow journalctl_t read filesystem sysctls
* Allow cgred_t to get attributes of cgroup filesystems
* Allow wdmd read hardware state information
* Allow wdmd list the contents of the sysfs directories
* Allow linuxptp configure phc2sys and chronyd over a unix domain socket
* Allow sulogin relabel tty1
* Dontaudit sulogin the checkpoint_restore capability
* Modify sudo_role_template() to allow getpgid
* Allow userdomain get attributes of files on an nsfs filesystem
* Allow opafm create NFS files and directories
* Allow virtqemud create and unlink files in /etc/libvirt/
* Allow virtqemud domain transition on swtpm execution
* Add the swtpm.if interface file for interactions with other domains
* Allow samba to have dac_override capability
* systemd: allow sys_admin capability for systemd_notify_t
* systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
* Allow thumb_t to watch and watch_reads mount_var_run_t
* Allow krb5kdc_t map krb5kdc_principal_t files
* Allow unprivileged confined user dbus chat with setroubleshoot
* Allow login_userdomain map files in /var
* Allow wireguard work with firewall-cmd
* Differentiate between staff and sysadm when executing crontab with sudo
* Add crontab_admin_domtrans interface
* Allow abrt_t nnp domain transition to abrt_handle_event_t
* Allow xdm_t to watch and watch_reads mount_var_run_t
* Dontaudit subscription manager setfscreate and read file contexts
* Don't audit crontab_domain write attempts to user home
* Transition from sudodomains to crontab_t when executing crontab_exec_t
* Add crontab_domtrans interface
* Fix label of pseudoterminals created from sudodomain
* Allow utempter_t use ptmx
* Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
* Allow admin user read/write on fixed_disk_device_t
* Only allow confined user domains to login locally without unconfined_login
* Add userdom_spec_domtrans_confined_admin_users interface
* Only allow admindomain to execute shell via ssh with ssh_sysadm_login
* Add userdom_spec_domtrans_admin_users interface
* Move ssh dyntrans to unconfined inside unconfined_login tunable policy
* Update ssh_role_template() for user ssh-agent type
* Allow init to inherit system DBus file descriptors
* Allow init to inherit fds from syslogd
* Allow any domain to inherit fds from rpm-ostree
* Update afterburn policy
* Allow init_t nnp domain transition to abrtd_t
* Rename all /var/lock file context entries to /run/lock
* Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
OBS-URL: https://build.opensuse.org/request/show/1166915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
- Update to version 20230622:
* Allow keyutils_dns_resolver_exec_t be an entrypoint
* Allow collectd_t read network state symlinks
* Revert "Allow collectd_t read proc_net link files"
* Allow nfsd_t to list exports_t dirs
* Allow cupsd dbus chat with xdm
* Allow haproxy read hardware state information
* Label /dev/userfaultfd with userfaultfd_t
* Allow blueman send general signals to unprivileged user domains
* Allow dkim-milter domain transition to sendmail
OBS-URL: https://build.opensuse.org/request/show/1094792
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=187