* Tue Jul 03 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-34
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
- Add ibacm policy
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t
- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services
- Allow crond_t domain to create netlink selinux sockets and dac_override cap.
- Allow radiusd_t domain to have dac_override capability
- Allow amanda_t domain to have setgid capability
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Allow systemd to mounton core kernel interface
- Add dac_override capability to ipsec_t domain BZ(1589534)
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files
- Allows systemd to get attribues of core kernel interface BZ(1596928)
- Allow systemd_modules_load_t to access unabeled infiniband pkeys
- Allow init_t domain to create netlink rdma sockets for ibacm policy
- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files
- Allow lvm_t domain to write files to all mls levels
- Add to su_role_template allow rule for creating netlink_selinux sockets
- Allow sysadm_t domain to mmap hwdb db
- Allow udev_t domain to mmap kernel modules
- Allow sysadm_screen_t to have capability dac_override and chown
- Allow sysadm_t domain to mmap journal
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Label /etc/systemd/system.control/ dir as systemd_unit_file_t
lvrabec
5 years ago