{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":21621078,"defaultBranch":"rawhide","name":"selinux-policy","ownerLogin":"fedora-selinux","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2014-07-08T16:48:35.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/8161548?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1726667290.0","currentOid":""},"activityList":{"items":[{"before":"6008a54185af7f6fafce8f00ce1f588cafbdb026","after":"fe8833a98c5dbc42f864ceeccd6305d5c5cb38fc","ref":"refs/heads/rawhide","pushedAt":"2024-09-20T18:08:11.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Remove fc entry for /usr/bin/pump\n\nThe dhcpc_exec_t type was assigned to /usr/bin/pump because it was\na part of the pump (\"configure network interface via BOOTP or DHCP\nprotocol\") package which is not available in Fedora any longer. This\nclashes with the same executable name from current distcc (\"Distributed\nC/C++ compilation\") package where no private type is needed.\n\nResolves: rhbz#2312044","shortMessageHtmlLink":"Remove fc entry for /usr/bin/pump"}},{"before":"a95ec6ae31dc99bb6d0655e73a8bca69f90b91c4","after":"6008a54185af7f6fafce8f00ce1f588cafbdb026","ref":"refs/heads/rawhide","pushedAt":"2024-09-20T18:07:55.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Label /usr/bin/noping and /usr/bin/oping with ping_exec_t\n\nThese commands are provided by the liboping package.\n\nResolves: rhbz#2305961","shortMessageHtmlLink":"Label /usr/bin/noping and /usr/bin/oping with ping_exec_t"}},{"before":"ac112bab51f0268fc2c23625a085284c63f2a5d6","after":"a95ec6ae31dc99bb6d0655e73a8bca69f90b91c4","ref":"refs/heads/rawhide","pushedAt":"2024-09-20T18:07:38.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow accountsd read gnome-initial-setup tmp files\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(09/18/2024 16:19:39.559:209) : proctitle=/usr/libexec/accounts-daemon\ntype=SYSCALL msg=audit(09/18/2024 16:19:39.559:209) : arch=x86_64 syscall=statx success=yes exit=0 a0=0xffffff9c a1=0x55ee21e7b980 a2=0x900 a3=0xfff items=0 ppid=1 pid=828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)\ntype=AVC msg=audit(09/18/2024 16:19:39.559:209) : avc:  denied  { getattr } for  pid=828 comm=accounts-daemon path=/tmp/usericonSQPZT2 dev=\"tmpfs\" ino=49 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:gnome_initial_setup_var_run_t:s0 tclass=file permissive=1\n\nResolves: rhbz#2278845","shortMessageHtmlLink":"Allow accountsd read gnome-initial-setup tmp files"}},{"before":"fe0cb886dd236ed5e62eabef43027c135b057201","after":"ac112bab51f0268fc2c23625a085284c63f2a5d6","ref":"refs/heads/rawhide","pushedAt":"2024-09-20T18:07:17.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow rngd read and write generic usb devices\n\nWhen the rngd service is started, it looks for good sources of random\ndata, e.g. a TV tuner like this:\nBus 001 Device 012: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1720074976.413:170): avc:  denied  { read write } for  pid=1914 comm=\"rngd\" name=\"012\" dev=\"devtmpfs\" ino=533 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0\ntype=SYSCALL msg=audit(1720074976.413:170): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7ffd075886d0 a2=80002 a3=0 items=1 ppid=1 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null)\ntype=PATH msg=audit(1720074976.413:170): item=0 name=/dev/bus/usb/001/012 inode=533 dev=00:06 mode=020664 ouid=0 ogid=990 rdev=bd:0b obj=system_u:object_r:usb_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\n\nResolves: rhbz#1892399","shortMessageHtmlLink":"Allow rngd read and write generic usb devices"}},{"before":"a8ce5d69b7b9d8fc5e29e6a53fc1ca2028e92161","after":"fe0cb886dd236ed5e62eabef43027c135b057201","ref":"refs/heads/rawhide","pushedAt":"2024-09-20T18:03:26.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow qatlib search the content of the kernel debugging filesystem\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(19/09/24 10:36:25.585:1092) : avc:  denied  { search } for  pid=9727 comm=qat_init.sh name=qat_4xxx_0000:e8:00.0 dev=\"debugfs\" ino=98915 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1\n\nResolves: https://github.com/fedora-selinux/selinux-policy/issues/2312","shortMessageHtmlLink":"Allow qatlib search the content of the kernel debugging filesystem"}},{"before":"6939d61831528ee1a873255f78b2c377ace80c89","after":"a8ce5d69b7b9d8fc5e29e6a53fc1ca2028e92161","ref":"refs/heads/rawhide","pushedAt":"2024-09-18T11:10:04.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"bachradsusi","name":"Petr Lautrbach","path":"/bachradsusi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8234493?s=80&v=4"},"commit":{"message":"mls/modules.conf - fix typo","shortMessageHtmlLink":"mls/modules.conf - fix typo"}},{"before":"1a7d7f45007966c3c507fb9d345517453fda2f07","after":"6939d61831528ee1a873255f78b2c377ace80c89","ref":"refs/heads/rawhide","pushedAt":"2024-09-13T12:15:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow unprivileged user watch /run/systemd\n\nThis is similar to commit 8b480be6082b (\"Allow staff use watch /run/systemd\"),\njust for user_t.\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1725791489.845:352): avc:  denied  { watch } for  pid=5967 comm=\"cockpit-bridge\" path=\"/run/systemd\" dev=\"tmpfs\" ino=2 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0\n\nResolves: rhbz#2310648","shortMessageHtmlLink":"Allow unprivileged user watch /run/systemd"}},{"before":"8dd76b0fff2de58e354c4d43077dc27945683dd9","after":"1a7d7f45007966c3c507fb9d345517453fda2f07","ref":"refs/heads/rawhide","pushedAt":"2024-09-13T12:15:05.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"CI: update to actions/checkout@v4\n\nFixes a deprecation warning:\r\n\r\nThe following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/","shortMessageHtmlLink":"CI: update to actions/checkout@v4"}},{"before":"12ff29983e4d1e3e8e7aa855f49aa09bace77489","after":"8dd76b0fff2de58e354c4d43077dc27945683dd9","ref":"refs/heads/rawhide","pushedAt":"2024-09-13T12:14:38.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow boothd connect to kernel over a unix socket\n\nIt actually allows boothd connect to systemd-userdbd over a unix socket\nwhen the socket is still labeled as kernel_t.\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(09/09/2024 15:21:42.512:2513) : proctitle=/usr/sbin/boothd daemon -S -c /etc/booth/booth.conf\ntype=PATH msg=audit(09/09/2024 15:21:42.512:2513) : item=0 name=/run/systemd/userdb/io.systemd.DynamicUser inode=43 dev=00:1b mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SOCKADDR msg=audit(09/09/2024 15:21:42.512:2513) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.DynamicUser }\ntype=SYSCALL msg=audit(09/09/2024 15:21:42.512:2513) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fff90ca7ec0 a2=0x2d a3=0x55fe78f35430 items=1 ppid=1 pid=61596 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=boothd exe=/usr/sbin/boothd subj=system_u:system_r:boothd_t:s0 key=(null)\ntype=AVC msg=audit(09/09/2024 15:21:42.512:2513) : avc:  denied  { connectto } for  pid=61596 comm=boothd path=/systemd/userdb/io.systemd.DynamicUser scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0\n\nResolves: RHEL-45907","shortMessageHtmlLink":"Allow boothd connect to kernel over a unix socket"}},{"before":"ce83836afdaadb358512903a68e1e8866e399d77","after":"12ff29983e4d1e3e8e7aa855f49aa09bace77489","ref":"refs/heads/rawhide","pushedAt":"2024-09-12T09:07:01.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"bachradsusi","name":"Petr Lautrbach","path":"/bachradsusi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8234493?s=80&v=4"},"commit":{"message":"Clean up and sync securetty_types\n\nRemove types that are just aliases of user_tty_device_t and add\nconsole_device_t also to config/appconfig-standard/securetty_types.\n\nAlso note that secureadm_tty_device_t was a misspelling of\nsecadm_tty_device_t - such type doesn't exist in the policy at all.\n\nSigned-off-by: Ondrej Mosnacek <omosnace@redhat.com>","shortMessageHtmlLink":"Clean up and sync securetty_types"}},{"before":"51776c857cb6e602b72e23f31e0c260c3f296372","after":"ce83836afdaadb358512903a68e1e8866e399d77","ref":"refs/heads/rawhide","pushedAt":"2024-09-11T13:23:47.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Confine gnome-remote-desktop\n\n- add new gnome_remote_desktop_t port mapping for tcp 3389-3399\n- add file type for /var/lib/gnome-remote-desktop(/.*)?\n- add new domain and transition for /usr/libexec/gnome-remote-desktop-daemon\n\nFixes: https://bugzilla.redhat.com/show_bug.cgi?id=2271661","shortMessageHtmlLink":"Confine gnome-remote-desktop"}},{"before":"9ff60a4a80fbe2df85983dba2014a1381e2ba77a","after":"51776c857cb6e602b72e23f31e0c260c3f296372","ref":"refs/heads/rawhide","pushedAt":"2024-09-11T11:27:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow virtstoraged execute mount programs in the mount domain\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(09/10/2024 09:02:19.765:1406) : proctitle=/usr/bin/mount -o nodev,nosuid,noexec -t auto /dev/vdb1 /var/lib/libvirt/images/vm-mountpoint-1\ntype=EXECVE msg=audit(09/10/2024 09:02:19.765:1406) : argc=7 a0=/usr/bin/mount a1=-o a2=nodev,nosuid,noexec a3=-t a4=auto a5=/dev/vdb1 a6=/var/lib/libvirt/images/vm-mountpoint-1\ntype=SYSCALL msg=audit(09/10/2024 09:02:19.765:1406) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fe308002410 a1=0x7fe308001f60 a2=0x7ffe9070c6a8 a3=0x0 items=1 ppid=7130 pid=7232 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mount exe=/usr/bin/mount subj=system_u:system_r:virtstoraged_t:s0 key=(null)\ntype=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc:  denied  { map } for  pid=7232 comm=mount path=/usr/bin/mount dev=\"vda3\" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1\ntype=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc:  denied  { execute_no_trans } for  pid=7232 comm=rpc-virtstorage path=/usr/bin/mount dev=\"vda3\" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1\ntype=AVC msg=audit(09/10/2024 09:02:19.765:1406) : avc:  denied  { execute } for  pid=7232 comm=rpc-virtstorage name=mount dev=\"vda3\" ino=793633 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1\n\nResolves: rhbz#2311178","shortMessageHtmlLink":"Allow virtstoraged execute mount programs in the mount domain"}},{"before":"1d355565fafbf2a4534fb34a9de6a270f9822b96","after":"9ff60a4a80fbe2df85983dba2014a1381e2ba77a","ref":"refs/heads/rawhide","pushedAt":"2024-09-11T11:24:25.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Make mdevctl_conf_t member of the file_type attribute\n\nIn the 1d355565faf commit (\"Label /etc/mdevctl.d with mdevctl_conf_t\"),\na new file type defined, but it was not made a part of the file_type\nattribute.\n\nResolves: rhbz#2311359","shortMessageHtmlLink":"Make mdevctl_conf_t member of the file_type attribute"}},{"before":"b57d1fd1203e81f5bd19ebd21b8e2ccca47534c9","after":"1d355565fafbf2a4534fb34a9de6a270f9822b96","ref":"refs/heads/rawhide","pushedAt":"2024-09-06T19:03:18.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Label /etc/mdevctl.d with mdevctl_conf_t\n\nAllow virtnodedevd create /etc/mdevctl.d with a file transition and\nmanage mdevctl_conf_t files.\n\nResolves: RHEL-39893","shortMessageHtmlLink":"Label /etc/mdevctl.d with mdevctl_conf_t"}},{"before":"1849ca30ae63909ecc1aceec269eef1b75e4a4f3","after":"b57d1fd1203e81f5bd19ebd21b8e2ccca47534c9","ref":"refs/heads/rawhide","pushedAt":"2024-09-06T19:03:06.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Sync users with Fedora targeted users","shortMessageHtmlLink":"Sync users with Fedora targeted users"}},{"before":"d62b0d353cb8d537e8673b32a943ef2279f0c54a","after":"1849ca30ae63909ecc1aceec269eef1b75e4a4f3","ref":"refs/heads/rawhide","pushedAt":"2024-09-06T18:59:32.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update policy for rpc-virtstorage\n\nIn particular, domain transition on udev and parted execution and\nr/w operations on fixed disk devices were allowed.\n\nResolves: rhbz#2305564","shortMessageHtmlLink":"Update policy for rpc-virtstorage"}},{"before":"f5bd2a768aa0e99b5f5fa4dd98c249fc19a41a54","after":"d62b0d353cb8d537e8673b32a943ef2279f0c54a","ref":"refs/heads/rawhide","pushedAt":"2024-09-06T18:55:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Fix SELinux policy for sandbox X server to fix 'sandbox -X' command","shortMessageHtmlLink":"Fix SELinux policy for sandbox X server to fix 'sandbox -X' command"}},{"before":"7ece86148a0912767922bfd6998a0378fa6093ce","after":"f5bd2a768aa0e99b5f5fa4dd98c249fc19a41a54","ref":"refs/heads/rawhide","pushedAt":"2024-09-06T07:20:00.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update bootupd policy when ESP is not mounted\n\nbootupd needs to check if device exists before mounting it,\nthen uses \"cp -a\" to update the bootloader.\n\nThe commit addresses the following AVC denials:\ntype=AVC msg=audit(1725385838.182:370): avc:  denied  { getattr } for  pid=3034 comm=\"bootupctl\" path=\"/dev/vda1\" dev=\"devtmpfs\" ino=311 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1\ntype=AVC msg=audit(1725385843.983:373): avc:  denied  { setfscreate } for  pid=3046 comm=\"cp\" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:bootupd_t:s0 tclass=process permissive=1\n\nResolves: https://github.com/fedora-selinux/selinux-policy/issues/2341","shortMessageHtmlLink":"Update bootupd policy when ESP is not mounted"}},{"before":"bf29ee1fea678720147100b0259e1a4ddf3e2f68","after":"7ece86148a0912767922bfd6998a0378fa6093ce","ref":"refs/heads/rawhide","pushedAt":"2024-09-04T15:33:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow thumb_t map dri devices\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1710140836.332:583): avc:  denied  { map } for  pid=1093967 comm=\"gst-plugin-scan\" path=\"/dev/dri/renderD128\" dev=\"devtmpfs\" ino=458 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1\n\nResolves: rhbz#2268960","shortMessageHtmlLink":"Allow thumb_t map dri devices"}},{"before":"c355b9d105730de54e9097e5afdc580d0d501e16","after":"bf29ee1fea678720147100b0259e1a4ddf3e2f68","ref":"refs/heads/rawhide","pushedAt":"2024-09-04T15:33:04.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow samba use the io_uring API\n\nThe commit addresses the following AVC denial example:\ntype=AVC msg=audit(08/25/2024 22:56:47.375:253) : avc:  denied  { create } for  pid=1244 comm=smbd[127.0.0.1] anonclass=[io_uring] scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1\n\nResolves: rhbz#2307812","shortMessageHtmlLink":"Allow samba use the io_uring API"}},{"before":"c4f832a5f5dd737ac7240d35b4522b574f5cdb68","after":"c355b9d105730de54e9097e5afdc580d0d501e16","ref":"refs/heads/rawhide","pushedAt":"2024-09-04T15:29:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow the sysadm user use the secretmem API\n\nThis is a follow-up commit to 41c4218e835a0 (\"Add support for secretmem\nanon inode\") which allowed the necessary permission to unconfined\ndomain types. This commit allows it also for the sysadm_t domain.\n\nNote: Pages allocated with this method can never be swapped out of the\nphysical memory and the system hibernation is blocked as long as any\nfile descriptor created with this method exists, so this permission\nshould be allowed to a very limited set of domains only.\n\nResolves: rhbz#2270895","shortMessageHtmlLink":"Allow the sysadm user use the secretmem API"}},{"before":"155907936f63e9bf869f256d5d107b56f4f1f90a","after":"c4f832a5f5dd737ac7240d35b4522b574f5cdb68","ref":"refs/heads/rawhide","pushedAt":"2024-09-04T15:28:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow nut-upsmon read systemd-logind session files\n\nThe commit addresses the following AVC denial example:\ntype=AVC msg=audit(08/25/24 15:08:31.976:201) : avc:  denied  { read } for  pid=6543 comm=wall name=sessions dev=\"tmpfs\" ino=1257 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1\n\nResolves: rhbz#2297933","shortMessageHtmlLink":"Allow nut-upsmon read systemd-logind session files"}},{"before":"8346b7b48da4695513a8018f8e66b17c08a5e81d","after":"155907936f63e9bf869f256d5d107b56f4f1f90a","ref":"refs/heads/rawhide","pushedAt":"2024-09-04T15:28:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow sysadm_t to create PF_KEY sockets\n\nThis is needed to run selinux-testsuite as sysadm_t starting with:\nhttps://github.com/SELinuxProject/selinux-testsuite/commit/a9e631f0f1d5b11756a62679e8da073b3cc85b13\n\nSigned-off-by: Ondrej Mosnacek <omosnace@redhat.com>","shortMessageHtmlLink":"Allow sysadm_t to create PF_KEY sockets"}},{"before":"3e53e58e5750cf525315a431d7862cd90c91f489","after":"8346b7b48da4695513a8018f8e66b17c08a5e81d","ref":"refs/heads/rawhide","pushedAt":"2024-09-02T19:41:08.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update bootupd policy for the removing-state-file test\n\nHow to reproduce:\nInstall a Fedora Silverblue 41 system\nrun sudo rm /boot/bootupd-state.json\nrun sudo bootupctl update\n\nThe commit addresses the following AVC denial example:\ntype=AVC msg=audit(1725290040.770:431): avc:  denied  { open } for  pid=4524 comm=\"bootupctl\" path=\"/boot/efi/EFI/BOOT/BOOTIA32.EFI\" dev=\"vda1\" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1\n\nResolves: https://github.com/fedora-selinux/selinux-policy/issues/2334","shortMessageHtmlLink":"Update bootupd policy for the removing-state-file test"}},{"before":"45da5e7314f671f21944940f11020caeb0a98ee9","after":"3e53e58e5750cf525315a431d7862cd90c91f489","ref":"refs/heads/rawhide","pushedAt":"2024-08-30T10:25:54.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow coreos-installer-generator manage mdadm_conf_t files\n\nResolves: RHEL-38614","shortMessageHtmlLink":"Allow coreos-installer-generator manage mdadm_conf_t files"}},{"before":"b98a9aa153fa314a437f7f979d06efdb191f5a24","after":"0113b35519369e628e7fcd87af000cfcd4b1fa6c","ref":"refs/heads/c9s","pushedAt":"2024-08-29T12:23:42.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow setsebool_t relabel selinux data files\n\nSince the \"libsemanage: Preserve file context and ownership in policy store\"\ncommit [1], libsemanage ensures that ownership and also SELinux context\nof policy data files are correct.\n\nThis requires additional permissions for setsebool_t when there is\na process transition for the setsebool command defined, such as when\nexecuted from an rpm scriptlet.\n\nAssigning to the following attributes is also needed:\n- can_change_object_identity because it actually is the user part of the\n  context which is being fixed; role part is not a subject of constraint\n  violation rules\n- can_relabelto_binary_policy to be able to modify the policy store context\n  (neverallow rule)\n\n[1] https://github.com/SELinuxProject/selinux/commit/d96f27bf7cb9\n\nResolves: RHEL-55414","shortMessageHtmlLink":"Allow setsebool_t relabel selinux data files"}},{"before":"efaaf9d774cba12d6477e620c26961b8609d2506","after":"45da5e7314f671f21944940f11020caeb0a98ee9","ref":"refs/heads/rawhide","pushedAt":"2024-08-29T11:32:02.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow setsebool_t relabel selinux data files\n\nSince the \"libsemanage: Preserve file context and ownership in policy store\"\ncommit [1], libsemanage ensures that ownership and also SELinux context\nof policy data files are correct.\n\nThis requires additional permissions for setsebool_t when there is\na process transition for the setsebool command defined, such as when\nexecuted from an rpm scriptlet.\n\nAssigning to the following attributes is also needed:\n- can_change_object_identity because it actually is the user part of the\n  context which is being fixed; role part is not a subject of constraint\n  violation rules\n- can_relabelto_binary_policy to be able to modify the policy store context\n  (neverallow rule)\n\n[1] https://github.com/SELinuxProject/selinux/commit/d96f27bf7cb9\n\nResolves: RHEL-55414","shortMessageHtmlLink":"Allow setsebool_t relabel selinux data files"}},{"before":"410bd80310cc12070b3a7e82108333bc45eda389","after":"efaaf9d774cba12d6477e620c26961b8609d2506","ref":"refs/heads/rawhide","pushedAt":"2024-08-29T11:28:36.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow virtqemud relabelfrom virtqemud_var_run_t dirs\n\nResolves: RHEL-49763","shortMessageHtmlLink":"Allow virtqemud relabelfrom virtqemud_var_run_t dirs"}},{"before":"6aeb7c0daa67104dd7039445ec99c45b47bb8383","after":"410bd80310cc12070b3a7e82108333bc45eda389","ref":"refs/heads/rawhide","pushedAt":"2024-08-29T11:23:17.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Use better escape method for \"interface\"\n\nFixes commit c7e8af00ef03 (\"Escape \"interface\" as a file name in a\nvirt filetrans pattern\")","shortMessageHtmlLink":"Use better escape method for \"interface\""}},{"before":"c8d8d4f4a123fe9826891af416ae46525ab7e313","after":"6aeb7c0daa67104dd7039445ec99c45b47bb8383","ref":"refs/heads/rawhide","pushedAt":"2024-08-29T11:22:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow init and systemd-logind to inherit fds from sshd\n\nThis is required by systemd since commit 76f2191d8eb5 (\"logind:\nintroduce CreateSessionWithPIDFD()\") when domain_fd_use is turned off.\n\nOtherwise trying to SSH into the system will hang for two minutes until\nthe timeout triggers a fallback and the SSH session is finally created.\n\nSigned-off-by: Ondrej Mosnacek <omosnace@redhat.com>","shortMessageHtmlLink":"Allow init and systemd-logind to inherit fds from sshd"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQxODowODoxMS4wMDAwMDBazwAAAAS8P1xc","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQxODowODoxMS4wMDAwMDBazwAAAAS8P1xc","endCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOC0yOVQxMToyMjo0NC4wMDAwMDBazwAAAASnhj7F"}},"title":"Activity · fedora-selinux/selinux-policy"}