-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-98cb37f64a 2024-12-20 13:38:02.107422+00:00 -------------------------------------------------------------------------------- Name : selinux-policy Product : Fedora 41 Version : 41.27 Release : 1.fc41 URL : https://github.com/fedora-selinux/selinux-policy Summary : SELinux policy configuration Description : SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora. -------------------------------------------------------------------------------- Update Information: New F41 selinux-policy build -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 17 2024 Zdenek Pytela <zpytela@xxxxxxxxxx> - 41.27-1 - Update ktlsh policy - Allow request-key to read /etc/passwd - Allow request-key to manage all domains' keys - Add support for the KVM guest memfd anon inodes - Allow auditctl signal auditd - Dontaudit systemd-coredump the sys_resource capability - Allow traceroute_t bind rawip sockets to unreserved ports - Fix the cups_read_pid_files() interface to use read_files_pattern - Allow virtqemud additional permissions for tmpfs_t blk devices - Allow virtqemud rw access to svirt_image_t chr files - Allow virtqemud rw and setattr access to fixed block devices - Label /etc/mdevctl.d/scripts.d with bin_t - Allow virtqemud open svirt_devpts_t char files - Allow virtqemud relabelfrom virt_log_t files - Allow svirt_tcg_t read virtqemud_t fifo_files - Allow virtqemud rw and setattr access to sev devices - Allow virtqemud directly read and write to a fixed disk - Allow virtqemud_t relabel virt_var_lib_t files - Allow virtqemud_t relabel virtqemud_var_run_t sock_files - Add gnome_filetrans_gstreamer_admin_home_content() interface - Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t - Make bootupd_t permissive - Allow init_t nnp domain transition to locate_t - allow gdm and iiosensorproxy talk to each other via D-bus - Allow systemd-journald getattr nsfs files - Allow sendmail to map mail server configuration files - Allow procmail to read mail aliases - Allow cifs.idmap helper to set attributes on kernel keys - Allow irqbalance setpcap capability in the user namespace - Allow sssd_selinux_manager_t the setcap process permission - Allow systemd-sleep manage efivarfs files - Allow systemd-related domains getattr nsfs files - Allow svirt_t the sys_rawio capability - Allow alsa watch generic device directories - Move systemd-homed interfaces to seperate optional_policy block - Update samba-bgqd policy - Update virtlogd policy - Allow svirt_t the sys_rawio capability - Allow qemu-ga the dac_override and dac_read_search capabilities - Allow bacula execute container in the container domain - Allow httpd get attributes of dirsrv unit files - Allow samba-bgqd read cups config files - Add label rshim_var_run_t for /run/rshim.pid -------------------------------------------------------------------------------- References: [ 1 ] Bug #2328821 - cifs.idmap denial when mounting share with SMB3 POSIX extensions enabled https://bugzilla.redhat.com/show_bug.cgi?id=2328821 [ 2 ] Bug #2329280 - SELinux is preventing /usr/lib/systemd/systemd-resolved from 'getattr' accesses on the file /cgroup:[4026531835]. https://bugzilla.redhat.com/show_bug.cgi?id=2329280 [ 3 ] Bug #2330477 - SELinux is preventing gst-plugin-scan from read, write access on the chr_file v4l-subdev4. https://bugzilla.redhat.com/show_bug.cgi?id=2330477 [ 4 ] Bug #2330674 - Failed to start systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info. https://bugzilla.redhat.com/show_bug.cgi?id=2330674 [ 5 ] Bug #2330761 - SELinux is preventing /usr/lib/systemd/systemd-executor from 'execute_no_trans' accesses on the file /usr/sbin/updatedb. https://bugzilla.redhat.com/show_bug.cgi?id=2330761 [ 6 ] Bug #2331486 - Allow setcap() syscall for 'sssd_selinux_manager_t' https://bugzilla.redhat.com/show_bug.cgi?id=2331486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-98cb37f64a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue