-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-62c612355c 2025-02-03 01:17:34.730834+00:00 -------------------------------------------------------------------------------- Name : selinux-policy Product : Fedora 41 Version : 41.31 Release : 1.fc41 URL : https://github.com/fedora-selinux/selinux-policy Summary : SELinux policy configuration Description : SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora. -------------------------------------------------------------------------------- Update Information: New F41 selinux-policy build New F41 selinux-policy build New F41 selinux-policy build -------------------------------------------------------------------------------- ChangeLog: * Sat Feb 1 2025 Zdenek Pytela <zpytela@xxxxxxxxxx> - 41.31-1 - Allow snapperd execute systemctl in the caller domain - Allow svirt_tcg_t to connect to nbdkit over a unix stream socket - Allow iio-sensor-proxy read iio devices - Label /dev/iio:device[0-9]+ devices - Allow systemd-coredump the sys_admin capability - Allow apcupsd's apccontrol to send messages using wall - contrib/thumb: also allow per-user thumbnailers - contrib/thumb: fix thunar thumbnailer (rhbz#2315893) - Allow virt_domain to use pulseaudio - conditional - Allow pcmsensor read nmi_watchdog state information - Allow init_t nnp domain transition to gssproxy_t * Tue Jan 28 2025 Zdenek Pytela <zpytela@xxxxxxxxxx> - 41.30-1 - Allow systemd-generator connect to syslog over a unix stream socket - Allow virtqemud manage fixed disk device nodes - Allow iio-sensor-proxy connect to syslog over a unix stream socket - Allow virtstoraged write to sysfs files - Allow power-profiles-daemon write sysfs files - Update iiosensorproxy policy - Allow pcmsensor write nmi_watchdog state information - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type - Add the gpg_read_user_secrets() interface - Allow gnome-remote-desktop read resolv.conf - Update switcheroo policy - Allow nfsidmap connect to systemd-homed over a unix socket - Add the auth_write_motd_var_run_files() interface - Add the bind_exec_named_checkconf() interface - Add the virt_exec_virsh() interface * Wed Jan 15 2025 Zdenek Pytela <zpytela@xxxxxxxxxx> - 41.29-1 - Allow virtqemud domain transition to nbdkit - Add nbdkit interfaces defined conditionally - Allow samba-bgqd connect to cupsd over an unix domain stream socket - Confine the switcheroo-control service - Allow svirt_t read sysfs files - Add rhsmcertd interfaces - Add the ssh_exec_sshd() interface - Add the gpg_domtrans_agent() interface - Label /usr/bin/dnf5 with rpm_exec_t - Label /dev/pmem[0-9]+ with fixed_disk_device_t - allow kdm to create /root/.kde/ with correct label - Change /usr/sbin entries to use /usr/bin or remove them - Allow systemd-homed get filesystem quotas - Allow login_userdomain getattr nsfs files - Allow virtqemud send a generic signal to the ssh client domain - Dontaudit request-key read /etc/passwd -------------------------------------------------------------------------------- References: [ 1 ] Bug #2275868 - SELinux prevents the lnusertemp command from creating /root/.kde directory https://bugzilla.redhat.com/show_bug.cgi?id=2275868 [ 2 ] Bug #2324181 - selinux is denying iio-sensor-proxy write access to sysfs which it needs for certain iio sensors https://bugzilla.redhat.com/show_bug.cgi?id=2324181 [ 3 ] Bug #2331002 - SELinux is preventing /usr/libexec/iio-sensor-proxy from 'search' accesses on the directory journal. https://bugzilla.redhat.com/show_bug.cgi?id=2331002 [ 4 ] Bug #2334965 - SELinux is preventing power-profiles- from 'write' accesses on the file energy_performance_preference. https://bugzilla.redhat.com/show_bug.cgi?id=2334965 [ 5 ] Bug #2335200 - SELinux is preventing /usr/lib/systemd/systemd-coredump from using the 'sys_admin' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=2335200 [ 6 ] Bug #2338713 - SELinux is preventing gnome-remote-de from 'open' accesses on the file /etc/resolv.conf. https://bugzilla.redhat.com/show_bug.cgi?id=2338713 [ 7 ] Bug #2342260 - 41.29-1.fc41 regression: avc: denied { connectto } for comm="nbd-connect" when updating together with another SELinux module (extra_binsbin related?) https://bugzilla.redhat.com/show_bug.cgi?id=2342260 [ 8 ] Bug #2342778 - SELinux is preventing snapperd from 'execute_no_trans' accesses on the file /usr/bin/systemctl. https://bugzilla.redhat.com/show_bug.cgi?id=2342778 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-62c612355c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
