{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":21621078,"defaultBranch":"rawhide","name":"selinux-policy","ownerLogin":"fedora-selinux","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2014-07-08T16:48:35.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/8161548?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1716184462.0","currentOid":""},"activityList":{"items":[{"before":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","after":null,"ref":"refs/tags/v40.20","pushedAt":"2024-05-20T05:54:11.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"}},{"before":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","after":"1f7f05d908f1c93939d7eed9f24a826b0f3ae723","ref":"refs/heads/rawhide","pushedAt":"2024-05-20T05:52:48.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow journald read systemd config files and directories\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1716124222.645:387): avc:  denied  { read } for  pid=7051 comm=\"systemd-journal\" name=\"journald.conf\" dev=\"dm-0\" ino=3408555 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0\n\nResolves: rhbz#2281489","shortMessageHtmlLink":"Allow journald read systemd config files and directories"}},{"before":"8881cafd24a0b311a46218699bcd3c928ecc1dc3","after":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","ref":"refs/heads/rawhide","pushedAt":"2024-05-19T20:22:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow systemd_domain read systemd_conf_t dirs\n\nWith the 98d767358ccf (\"Label systemd configuration files with\nsystemd_conf_t\") commit, new file type was introduced for systemd\nconfiguration files and read access was allowed to systemd_domain\nfor files and symlinks and search for directories. Since this commit,\nalso permissions to list directories are allowed.\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(05/18/2024 13:05:44.500:53) : avc:  denied  { read } for  pid=727 comm=systemd-resolve name=resolved.conf.d dev=\"dm-0\" ino=715865 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=dir permissive=0\ntype=SYSCALL msg=audit(05/18/2024 13:05:44.500:53) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7f554f13a438 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=727 auid=unset uid=systemd-resolve gid=systemd-resolve euid=systemd-resolve suid=systemd-resolve fsuid=systemd-resolve egid=systemd-resolve sgid=systemd-resolve fsgid=systemd-resolve tty=(none) ses=unset comm=systemd-resolve exe=/usr/lib/systemd/systemd-resolved subj=system_u:system_r:systemd_resolved_t:s0 key=(null)\ntype=PATH msg=audit(05/18/2024 13:05:44.500:53) : item=0 name=. inode=715865 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0","shortMessageHtmlLink":"Allow systemd_domain read systemd_conf_t dirs"}},{"before":"7c32f5dc2ac1b97b1a5878362df105a682ef7765","after":"8881cafd24a0b311a46218699bcd3c928ecc1dc3","ref":"refs/heads/rawhide","pushedAt":"2024-05-19T20:22:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Fix bad Python regexp escapes\n\nPython 3.12 started warning about such escapes. Use r\"\" to suppress\nthe warning.","shortMessageHtmlLink":"Fix bad Python regexp escapes"}},{"before":"43430bde4bcabe5bbf52bdb1443b4710d8b64c35","after":"7c32f5dc2ac1b97b1a5878362df105a682ef7765","ref":"refs/heads/rawhide","pushedAt":"2024-05-18T21:31:18.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow fido services connect to postgres database\n\nThe commit addresses the following AVC denial and subsequently raised ones:\ntype=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server\ntype=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null)\ntype=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1","shortMessageHtmlLink":"Allow fido services connect to postgres database"}},{"before":"85f2db436811030565cd4e9f65c2b608cc376d5f","after":"750db5ab9d7e074156b1daf8e2a8ecd5facc3d9b","ref":"refs/heads/c10s","pushedAt":"2024-05-17T22:32:55.000Z","pushType":"pr_merge","commitsCount":9,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow logwatch read logind sessions files\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(03/20/2024 10:36:55.005:657) : proctitle=uptime\ntype=PATH msg=audit(03/20/2024 10:36:55.005:657) : item=0 name=/run/systemd/sessions/ inode=81 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_sessions_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(03/20/2024 10:36:55.005:657) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f18e19bb970 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=2011 pid=2012 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=uptime exe=/usr/bin/uptime subj=system_u:system_r:logwatch_t:s0 key=(null)\ntype=AVC msg=audit(03/20/2024 10:36:55.005:657) : avc:  denied  { read } for  pid=2012 comm=uptime name=sessions dev=\"tmpfs\" ino=81 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=0\n\nResolves: RHEL-30441","shortMessageHtmlLink":"Allow logwatch read logind sessions files"}},{"before":"00825fd7ef3d3c10163c953d7737c0297f7c8ced","after":"43430bde4bcabe5bbf52bdb1443b4710d8b64c35","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T22:21:34.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Revert \"Update the README.md file with the c10s branch information\"\n\nThis reverts commit 00825fd7ef3d3c10163c953d7737c0297f7c8ced.","shortMessageHtmlLink":"Revert \"Update the README.md file with the c10s branch information\""}},{"before":"0ed7e9a797ca5be979a5b0b3e626efd775004851","after":"00825fd7ef3d3c10163c953d7737c0297f7c8ced","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T21:25:19.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update the README.md file with the c10s branch information\n\nThe c10s branch was created in fedora-selinux/selinux-policy to allow\ncontributors work on selinux policy updates for Centos 10 stream\nseamlessly.","shortMessageHtmlLink":"Update the README.md file with the c10s branch information"}},{"before":"bd6c524b11eaa3129789c40efd989c48e84f5ce7","after":"0ed7e9a797ca5be979a5b0b3e626efd775004851","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T20:30:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow postfix smtpd map aliases file\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(05/16/2024 11:58:56.019:602) : proctitle=smtpd -n smtp -t inet -u -s 2\ntype=MMAP msg=audit(05/16/2024 11:58:56.019:602) : fd=12 flags=MAP_SHARED\ntype=SYSCALL msg=audit(05/16/2024 11:58:56.019:602) : arch=x86_64 syscall=mmap success=yes exit=139799220453376 a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=8078 pid=8866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)\ntype=AVC msg=audit(05/16/2024 11:58:56.019:602) : avc:  denied  { map } for  pid=8866 comm=smtpd path=/etc/aliases.lmdb dev=\"vda2\" ino=2316284 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=1\n\nResolves: RHEL-35544","shortMessageHtmlLink":"Allow postfix smtpd map aliases file"}},{"before":"d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455","after":"85f2db436811030565cd4e9f65c2b608cc376d5f","ref":"refs/heads/c10s","pushedAt":"2024-05-17T19:38:57.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update the README.md file with the c10s branch information\n\nThe c10s branch was created in fedora-selinux/selinux-policy to allow\ncontributors work on selinux policy updates for Centos 10 stream\nseamlessly.","shortMessageHtmlLink":"Update the README.md file with the c10s branch information"}},{"before":null,"after":"d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455","ref":"refs/heads/c10s","pushedAt":"2024-05-17T18:43:45.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Only allow confined user domains to login locally without unconfined_login\n\nBefore, local_login_t could transition to all userdomain types,\nincluding unconfined_t, regardless of the unconfined_login boolean\nstate.\n\nThis patch allows this unconditional access only to confined user\ndomains. Transition to unconfined_t is already handled elsewhere.\n\nResolves: RHEL-1628","shortMessageHtmlLink":"Only allow confined user domains to login locally without unconfined_…"}},{"before":"4188842590c2d66f321a4fb62fa42093d37b7d1c","after":"f81c762b515ed1263ff63766afada4f590642dad","ref":"refs/heads/c9s","pushedAt":"2024-05-16T15:49:18.000Z","pushType":"pr_merge","commitsCount":9,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add boolean qemu-ga to run unconfined script\n\nResolves: RHEL-31211","shortMessageHtmlLink":"Add boolean qemu-ga to run unconfined script"}},{"before":"98d767358ccf7c484c7ae50c43c71c86accbd6b7","after":"bd6c524b11eaa3129789c40efd989c48e84f5ce7","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T14:01:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Ensure dbus communication is allowed bidirectionally\n\nIn some interfaces, only one-way communication over dbus is allowed.\nThis is not correct, it may result in timeouting the dbus request or\nresponse and possibly also make the service, which uses dbus\ncommunication, fail.","shortMessageHtmlLink":"Ensure dbus communication is allowed bidirectionally"}},{"before":"c7eaa7fd99e7c46a17656785b0f113e4d0f29d92","after":"98d767358ccf7c484c7ae50c43c71c86accbd6b7","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T14:00:40.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Label systemd configuration files with systemd_conf_t\n\nThe systemd_conf_t type was added as default file context for plain\nfiles with the .conf suffix, for .conf.d directories in /etc/systemd,\n/run/systemd, and /usr/lib/systemd, and for plain files and symlinks\nin those directories. The /usr/local/lib/systemd directory is a subject\nof file equivalency rules.\nThe systemd_domain attribute was allowed read access to these files.\n\nRefer to https://github.com/systemd/systemd/blob/main/NEWS\nCHANGES WITH 256-rc1:\nGeneral Changes and New Features:\n\n        * Various programs will now attempt to load the main configuration file\n          from locations below /usr/lib/, /usr/local/lib/, and /run/, not just\n          below /etc/. For example, systemd-logind will look for\n          /etc/systemd/logind.conf, /run/systemd/logind.conf,\n          /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,\n          and use the first file that is found.  This means that the search\n          logic for the main config file and for drop-ins is now the same.\n\nResolves: rhbz#2279923","shortMessageHtmlLink":"Label systemd configuration files with systemd_conf_t"}},{"before":"08d8b6c49e6871bff04a8ea1e0c917335bb9a682","after":"c7eaa7fd99e7c46a17656785b0f113e4d0f29d92","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T13:59:27.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow sysadm execute dmidecode using sudo\n\nWhen an unprivileged user in the sysadm_r role executes dmidecode\nthrough sudo, it transitions into sysadm_sudo_t domain by default.\nWith this commit, the process transitions to dmidecode_t.\n\nResolves: RHEL-16104","shortMessageHtmlLink":"Allow sysadm execute dmidecode using sudo"}},{"before":"01507d2fe7c62f7710e0b0a81141de244ed1ca39","after":"08d8b6c49e6871bff04a8ea1e0c917335bb9a682","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T13:57:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow setroubleshootd get attributes of all sysctls\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(04/24/2024 20:21:11.708:1626) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f\ntype=PATH msg=audit(04/24/2024 20:21:11.708:1626) : item=0 name=/proc/sys/vm/max_map_count inode=137784 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(04/24/2024 20:21:11.708:1626) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f799d8a8ad0 a2=0x7f799d881050 a3=0x0 items=1 ppid=1 pid=65298 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null)\ntype=AVC msg=audit(04/24/2024 20:21:11.708:1626) : avc:  denied  { getattr } for  pid=65298 comm=setroubleshootd path=/proc/sys/vm/max_map_count dev=\"proc\" ino=137784 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0\n\nResolves: RHEL-34078","shortMessageHtmlLink":"Allow setroubleshootd get attributes of all sysctls"}},{"before":"9e0261fc8000cc7b3b1798168d3efa63e4646eeb","after":"01507d2fe7c62f7710e0b0a81141de244ed1ca39","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T13:56:47.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow various services read and write z90crypt device\n\nThis permission is required on s390x systems with the Crypto Express\nadapter card. The z90crypt device driver acts as the interface to the\nPCI cryptography hardware and performs asynchronous encryption\noperations (RSA) as used during the SSL handshake.\n\nIn this commit, services executing the following executables were\nallowed the access:\n- /usr/bin/ssh-keygen\n- /usr/bin/systemctl\n- /usr/sbin/sm-notify\n- /usr/lib/systemd/systemd-executor\n- /usr/lib/systemd/systemd-hostnamed\n- /usr/lib/systemd/systemd-random-seed\n- /usr/lib/systemd/systemd-update-utmp\n- /usr/lib/systemd/systemd-user-sessions\n- /usr/lib/systemd/systemd-user-runtime-dir\n\nand systemd generators.\n\nResolves: RHEL-33361","shortMessageHtmlLink":"Allow various services read and write z90crypt device"}},{"before":"f86544ea8a837c1148f5a69d20e16de2a533a9f7","after":"9e0261fc8000cc7b3b1798168d3efa63e4646eeb","ref":"refs/heads/rawhide","pushedAt":"2024-05-14T14:15:25.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow nfsidmap connect to systemd-homed\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1715353588.747:526): avc:  denied  { connectto } for  pid=25014 comm=\"nfsidmap\" path=\"/run/systemd/userdb/io.systemd.Home\" scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0\n\nResolves: rhbz#2280017","shortMessageHtmlLink":"Allow nfsidmap connect to systemd-homed"}},{"before":"ffde9842e384c461715e3d1bc1ab6cda40e52efc","after":"f86544ea8a837c1148f5a69d20e16de2a533a9f7","ref":"refs/heads/rawhide","pushedAt":"2024-05-14T14:14:56.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow sandbox_x_client_t dbus chat with accountsd\n\nThe commit addresses the following AVC denial:\ntype=USER_AVC msg=audit(05/13/2024 10:21:39.922:837) : pid=799 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:accountsd_t:s0 tcontext=staff_u:staff_r:sandbox_x_client_t:s0:c13,c243 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'","shortMessageHtmlLink":"Allow sandbox_x_client_t dbus chat with accountsd"}},{"before":"e6e2575cb4007540f4747aa6791c27de28dd413c","after":"ffde9842e384c461715e3d1bc1ab6cda40e52efc","ref":"refs/heads/rawhide","pushedAt":"2024-05-14T14:13:41.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow system_cronjob_t dbus chat with avahi_t\n\nThe commit addresses the following USER_AVC denial:\ntype=USER_AVC msg=audit(04/10/2024 03:09:01.517:310) : pid=553 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'\n\nResolves: RHEL-32290","shortMessageHtmlLink":"Allow system_cronjob_t dbus chat with avahi_t"}},{"before":"339a8aff140f19975235c05efd3defb7db7f4eb9","after":"e6e2575cb4007540f4747aa6791c27de28dd413c","ref":"refs/heads/rawhide","pushedAt":"2024-05-14T14:12:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow staff_t the io_uring sqpoll permission\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(10.5.2024 18:11:00.485:871) : proctitle=/opt/app\ntype=SYSCALL msg=audit(10.5.2024 18:11:00.485:871) : arch=x86_64 syscall=io_uring_setup success=yes exit=7 a0=0x40 a1=0x7ffe85d540b0 a2=0x53 a3=0x1aa800238600 items=0 ppid=83930 pid=84132 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=freetube exe=/opt/FreeTube/freetube subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)\ntype=AVC msg=audit(10.5.2024 18:11:00.485:871) : avc:  denied  { sqpoll } for  pid=84132 comm=freetube scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=io_uring permissive=1","shortMessageHtmlLink":"Allow staff_t the io_uring sqpoll permission"}},{"before":"41c4218e835a068335f05c1cf41268a0db64aab5","after":"339a8aff140f19975235c05efd3defb7db7f4eb9","ref":"refs/heads/rawhide","pushedAt":"2024-05-14T14:11:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow staff_t use the io_uring API\n\nRequired for handling qemu disk images by a user in the staff_t domain.\n\nThe commit addresses the following AVC denials:\ntype=PROCTITLE msg=audit(9.5.2024 11:47:16.231:436) : proctitle=qemu-img create -qf qcow2 -F qcow2 -b /path/filename.qcow2 -o lazy\ntype=SYSCALL msg=audit(9.5.2024 11:47:16.231:436) : arch=x86_64 syscall=io_uring_setup success=yes exit=4 a0=0x80 a1=0x7ffc49b29840 a2=0x7ffc49b29840 a3=0x4 items=0 ppid=25793 pid=25872 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts11 ses=3 comm=qemu-img exe=/usr/bin/qemu-img subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)\ntype=AVC msg=audit(9.5.2024 11:47:16.231:436) : avc:  denied  { create } for  pid=25872 comm=qemu-img anonclass=[io_uring] scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1\ntype=PROCTITLE msg=audit(9.5.2024 11:47:16.231:437) : proctitle=qemu-img create -qf qcow2 -F qcow2 -b /path/filename.qcow2 -o lazy\ntype=MMAP msg=audit(9.5.2024 11:47:16.231:437) : fd=4 flags=MAP_SHARED|MAP_POPULATE\ntype=SYSCALL msg=audit(9.5.2024 11:47:16.231:437) : arch=x86_64 syscall=mmap success=yes exit=139636585943040 a0=0x0 a1=0x1240 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED|MAP_POPULATE items=0 ppid=25793 pid=25872 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts11 ses=3 comm=qemu-img exe=/usr/bin/qemu-img subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)\ntype=AVC msg=audit(9.5.2024 11:47:16.231:437) : avc:  denied  { read write } for  pid=25872 comm=qemu-img path=anon_inode:[io_uring] dev=\"anon_inodefs\" ino=318625 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1\ntype=AVC msg=audit(9.5.2024 11:47:16.231:437) : avc:  denied  { map } for  pid=25872 comm=qemu-img path=anon_inode:[io_uring] dev=\"anon_inodefs\" ino=318625 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1","shortMessageHtmlLink":"Allow staff_t use the io_uring API"}},{"before":"fa52f807ae7b1105a31c6f7b70749e4d7b353736","after":"c1f8a15325855c8a51b8adbaae9adaa073b1cc41","ref":"refs/heads/f39","pushedAt":"2024-05-09T19:58:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add interfaces for watching and reading ifconfig_var_run_t\n\nRequired by frr.\nhttps://gitlab.com/redhat/centos-stream/rpms/frr/-/merge_requests/24\n\nSigned-off-by: Vit Mojzis <vmojzis@redhat.com>","shortMessageHtmlLink":"Add interfaces for watching and reading ifconfig_var_run_t"}},{"before":"28c2ee5fb5dfba79004bfa8dece14dfb62967319","after":"41c4218e835a068335f05c1cf41268a0db64aab5","ref":"refs/heads/rawhide","pushedAt":"2024-05-09T19:40:57.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add support for secretmem anon inode\n\nCommit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper\nsupport for anon inodes, however it does not implement support for\nsecretmem anon inode.\n\nThis patch adds type transition, so [secretmem] anon inode is always\ncreated with secretmem_t type. It also adds an interface allowing create\npermission on secretmem_t and allows unconfined_domain_type to use it.\n\nAddresses the following AVCs:\ntype=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run]\ntype=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)\ntype=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc:  denied  { create } for  pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0\n\nResolves: rhbz#2270895","shortMessageHtmlLink":"Add support for secretmem anon inode"}},{"before":"6d8fb622f60641e3d93b0355cb2aba4c881114a3","after":"fa52f807ae7b1105a31c6f7b70749e4d7b353736","ref":"refs/heads/f39","pushedAt":"2024-05-09T19:35:35.000Z","pushType":"pr_merge","commitsCount":6,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow svirt_tcg_t map svirt_image_t files\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1710328208.112:388): avc:  denied  { map } for  pid=3395 comm=\"qemu-system-aar\" path=\"/home/username//CentOS-9-stream/username-centos-9-stream_aarch64/nvdimm-0.dev\" dev=\"sdb4\" ino=789153 scontext=system_u:system_r:svirt_tcg_t:s0:c23,c892 tcontext=system_u:object_r:svirt_image_t:s0:c23,c892 tclass=file permissive=0\n\nResolves: rhbz#2270027","shortMessageHtmlLink":"Allow svirt_tcg_t map svirt_image_t files"}},{"before":"52f34fc4881b78295aaf4eef595ad381e53796ac","after":"4188842590c2d66f321a4fb62fa42093d37b7d1c","ref":"refs/heads/c9s","pushedAt":"2024-05-07T20:04:45.000Z","pushType":"pr_merge","commitsCount":14,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow numad to trace processes in user namespace\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15\ntype=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)\ntype=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc:  denied  { sys_ptrace } for  pid=3200 comm=numad capability=sys_ptrace  scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0\n\nResolves: RHEL-33994","shortMessageHtmlLink":"Allow numad to trace processes in user namespace"}},{"before":"a809f095daffadca4c0a7e11e7c6bf28486741c6","after":"28c2ee5fb5dfba79004bfa8dece14dfb62967319","ref":"refs/heads/rawhide","pushedAt":"2024-05-06T07:37:51.000Z","pushType":"pr_merge","commitsCount":11,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow virtqemud read vfio devices\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(04/05/24 17:01:42.433:362) : avc:  denied  { read write } for  pid=8259 comm=qemu-system-x86 name=21 dev=\"tmpfs\" ino=8 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1","shortMessageHtmlLink":"Allow virtqemud read vfio devices"}},{"before":"5f29fc6f4ad55e0d572a7d48404f2162906a88b8","after":"a809f095daffadca4c0a7e11e7c6bf28486741c6","ref":"refs/heads/rawhide","pushedAt":"2024-05-03T11:18:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow svirt_tcg_t map svirt_image_t files\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1710328208.112:388): avc:  denied  { map } for  pid=3395 comm=\"qemu-system-aar\" path=\"/home/username//CentOS-9-stream/username-centos-9-stream_aarch64/nvdimm-0.dev\" dev=\"sdb4\" ino=789153 scontext=system_u:system_r:svirt_tcg_t:s0:c23,c892 tcontext=system_u:object_r:svirt_image_t:s0:c23,c892 tclass=file permissive=0\n\nResolves: rhbz#2270027","shortMessageHtmlLink":"Allow svirt_tcg_t map svirt_image_t files"}},{"before":"1652297104e4e6f9b3dfe4482d04e8bb3360df4d","after":"5f29fc6f4ad55e0d572a7d48404f2162906a88b8","ref":"refs/heads/rawhide","pushedAt":"2024-05-03T11:12:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow abrt-dump-journal-core connect to systemd-homed\n\nThe commit addresses the following AVC denial:\naudit: type=1400 audit(1713982589.922:18417): avc:  denied  { connectto } for  pid=175324 comm=\"abrt-dump-journ\" path=\"/run/systemd/userdb/io.systemd.Home\" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0","shortMessageHtmlLink":"Allow abrt-dump-journal-core connect to systemd-homed"}},{"before":"a4c9c9ba835c371a817590f3c8c4e894d3fb7d37","after":"1652297104e4e6f9b3dfe4482d04e8bb3360df4d","ref":"refs/heads/rawhide","pushedAt":"2024-05-03T11:11:51.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow abrt-dump-journal-core connect to systemd-machined\n\nabrt-dump-journal-core was allowed to connect to systemd-machined\nover a unix socket.\n\nThe commit addresses the following AVC denial and 2 related ones:\ntype=AVC msg=audit(1714352016.324:249): avc:  denied  { connectto } for  pid=2471 comm=\"abrt-dump-journ\" path=\"/run/systemd/userdb/io.systemd.Machine\" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0\n\nResolves: rhbz#2277658","shortMessageHtmlLink":"Allow abrt-dump-journal-core connect to systemd-machined"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAETnS7awA","startCursor":null,"endCursor":null}},"title":"Activity · fedora-selinux/selinux-policy"}