{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":21621078,"defaultBranch":"rawhide","name":"selinux-policy","ownerLogin":"fedora-selinux","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2014-07-08T16:48:35.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/8161548?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1717524914.0","currentOid":""},"activityList":{"items":[{"before":"5c8fe6e4da3b6dd73f084ad093cd19d88c430ae8","after":"fd08b469e2906675c79d109006916496a542b33f","ref":"refs/heads/rawhide","pushedAt":"2024-06-04T18:58:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow pulseaudio map its runtime files\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(06/02/2024 21:36:11.313:861) : avc:  denied  { map } for  pid=831 comm=alsa-sink-USB A path=/run/pulse/orcexec.Tw9Ifn (deleted) dev=\"tmpfs\" ino=2349 scontext=system_u:system_r:pulseaudio_t:s0 tcontext=system_u:object_r:pulseaudio_var_run_t:s0 tclass=file permissive=0\n\nResolves: rhbz#2290363","shortMessageHtmlLink":"Allow pulseaudio map its runtime files"}},{"before":"351a598ecbc0717926181e0a88d07878a12e7301","after":"5c8fe6e4da3b6dd73f084ad093cd19d88c430ae8","ref":"refs/heads/rawhide","pushedAt":"2024-06-04T18:57:56.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update policy for getty-generator\n\nPermissions to setfscreate and open unallocated ttys were added.\nThe commit addresses the following AVC denials:\ntype=AVC msg=audit(06/04/2024 06:20:34.616:383) : avc:  denied  { open } for  pid=28152 comm=systemd-getty-g path=/dev/ttyS0 dev=\"devtmpfs\" ino=305 scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1\ntype=AVC msg=audit(06/04/2024 06:20:34.616:384) : avc:  denied  { setfscreate } for  pid=28152 comm=systemd-getty-g scontext=system_u:system_r:systemd_getty_generator_t:s0 tcontext=system_u:system_r:systemd_getty_generator_t:s0 tclass=process permissive=1","shortMessageHtmlLink":"Update policy for getty-generator"}},{"before":"eb5635fb3c3b1b59b3643910ca16360dc1c5e8c3","after":null,"ref":"refs/tags/v41.1","pushedAt":"2024-06-03T14:58:10.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"}},{"before":"eb5635fb3c3b1b59b3643910ca16360dc1c5e8c3","after":"351a598ecbc0717926181e0a88d07878a12e7301","ref":"refs/heads/rawhide","pushedAt":"2024-06-03T14:57:11.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow fstab-generator create unit file symlinks\n\ntype=PROCTITLE msg=audit(06/03/2024 15:41:59.006:210) : proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gene\ntype=PATH msg=audit(06/03/2024 15:41:59.006:210) : item=2 name=/run/systemd/generator/local-fs.target.requires/-.mount inode=1803 dev=00:19 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generic_generator_unit_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(06/03/2024 15:41:59.006:210) : item=1 name=../-.mount nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(06/03/2024 15:41:59.006:210) : item=0 name=/run/systemd/generator/local-fs.target.requires/ inode=1797 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generic_generator_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(06/03/2024 15:41:59.006:210) : arch=x86_64 syscall=symlink success=yes exit=0 a0=0x558a92f9c4d0 a1=0x558a92f9c330 a2=0x0 a3=0x0 items=3 ppid=3123 pid=3138 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-fstab-g exe=/usr/lib/systemd/system-generators/systemd-fstab-generator subj=system_u:system_r:systemd_fstab_generator_t:s0 key=(null)\ntype=AVC msg=audit(06/03/2024 15:41:59.006:210) : avc:  denied  { create } for  pid=3138 comm=systemd-fstab-g name=-.mount scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_generic_generator_unit_file_t:s0 tclass=lnk_file permissive=1\ntype=AVC msg=audit(06/03/2024 15:41:59.006:210) : avc:  denied  { add_name } for  pid=3138 comm=systemd-fstab-g name=-.mount scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_generic_generator_unit_file_t:s0 tclass=dir permissive=1\ntype=AVC msg=audit(06/03/2024 15:41:59.006:210) : avc:  denied  { write } for  pid=3138 comm=systemd-fstab-g name=local-fs.target.requires dev=\"tmpfs\" ino=1797 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_generic_generator_unit_file_t:s0 tclass=dir permissive=1\ntype=AVC msg=audit(06/03/2024 15:41:59.006:210) : avc:  denied  { search } for  pid=3138 comm=systemd-fstab-g name=local-fs.target.requires dev=\"tmpfs\" ino=1797 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_generic_generator_unit_file_t:s0 tclass=dir permissive=1","shortMessageHtmlLink":"Allow fstab-generator create unit file symlinks"}},{"before":"f93ef19a203a6bbffee5fc7c9bcf9a051959ca89","after":"eb5635fb3c3b1b59b3643910ca16360dc1c5e8c3","ref":"refs/heads/rawhide","pushedAt":"2024-06-03T12:54:39.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update policy for cryptsetup-generator","shortMessageHtmlLink":"Update policy for cryptsetup-generator"}},{"before":"eaaa77fa27c5859a6a5eb0281edf984cf0dbad95","after":"f93ef19a203a6bbffee5fc7c9bcf9a051959ca89","ref":"refs/heads/rawhide","pushedAt":"2024-06-02T20:44:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow virtqemud read vm sysctls\n\nRequired by qemu-system-ppc on the ppc64le architecture.\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1716962750.427:216): avc:  denied  { read } for  pid=3074 comm=\"qemu-system-ppc\" name=\"max_map_count\" dev=\"proc\" ino=53342 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1\n\nResolves: rhbz#2283792","shortMessageHtmlLink":"Allow virtqemud read vm sysctls"}},{"before":"6bb2f5fb2681644a0823ecaff82d424db52e2628","after":"eaaa77fa27c5859a6a5eb0281edf984cf0dbad95","ref":"refs/heads/rawhide","pushedAt":"2024-06-02T20:44:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow collectd to trace processes in user namespace\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(05/14/2024 05:47:14.491:7864) : proctitle=/usr/sbin/collectd\ntype=SYSCALL msg=audit(05/14/2024 05:47:14.491:7864) : arch=x86_64 syscall=read success=yes exit=177 a0=0x7 a1=0x7fc5ec000d70 a2=0x400 a3=0x0 items=0 ppid=1 pid=866907 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reader#0 exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)\ntype=AVC msg=audit(05/14/2024 05:47:14.491:7864) : avc:  denied  { sys_ptrace } for  pid=866907 comm=reader#0 capability=sys_ptrace  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=cap_userns permissive=0\n\nResolves: RHEL-36293","shortMessageHtmlLink":"Allow collectd to trace processes in user namespace"}},{"before":"259388539b76c49796f9786bb5d06f3ed621b0ae","after":"6bb2f5fb2681644a0823ecaff82d424db52e2628","ref":"refs/heads/rawhide","pushedAt":"2024-06-02T20:44:05.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow bootupd search efivarfs dirs\n\nThe commit addresses the following AVC denial:\n\ntype=PROCTITLE msg=audit(05/13/2024 20:55:09.250:500) : proctitle=/usr/libexec/bootupd daemon -v\ntype=PATH msg=audit(05/13/2024 20:55:09.250:500) : item=0 name=/sys/firmware/efi/efivars/LoaderInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(05/13/2024 20:55:09.250:500) : arch=aarch64 syscall=statx success=no exit=ENOENT(No such file or directory) a0=0xffffffffffffff9c a1=0xffffd11a0668 a2=0x0 a3=0xfff items=1 ppid=1 pid=56333 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null)\ntype=AVC msg=audit(05/13/2024 20:55:09.250:500) : avc:  denied  { search } for  pid=56333 comm=bootupd name=/ dev=\"efivarfs\" ino=1336 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1\n\nResolves: RHEL-36289","shortMessageHtmlLink":"Allow bootupd search efivarfs dirs"}},{"before":"0ff1e00b77d5598733418f5d445b33082c3f084e","after":"259388539b76c49796f9786bb5d06f3ed621b0ae","ref":"refs/heads/rawhide","pushedAt":"2024-06-02T20:43:35.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add policy for systemd-mountfsd\n\nA small new service systemd-mountfsd.service was added in systemd v256 [1].\nIt provides a Varlink IPC API that assigns a free, transiently provides\na Varlink IPC API for mounting DDI images, and returning a set of mount\nfile descriptors for it. If a user namespace fd is provided as input,\nthen the mounts are registered with the user namespace. To ensure trust\nin the image it must provide Verity information (or alternatively\ninteractive polkit authentication is required).\n\n[1] https://github.com/systemd/systemd/releases/tag/v256-rc1","shortMessageHtmlLink":"Add policy for systemd-mountfsd"}},{"before":"feb2379d4674d065dbcabe8b342c731954930536","after":"0ff1e00b77d5598733418f5d445b33082c3f084e","ref":"refs/heads/rawhide","pushedAt":"2024-06-02T20:31:56.000Z","pushType":"pr_merge","commitsCount":4,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update policy generators\n\nThe policy for bless-boot, cryptsetup, sysv, and zram generators\nand the generators template were updated.","shortMessageHtmlLink":"Update policy generators"}},{"before":null,"after":"3bd4020df748550825948cf29475b783ed943555","ref":"refs/heads/f40","pushedAt":"2024-05-31T18:40:07.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add policy for second batch of generators\n\nThe following systemd system generators were confined:\n- bless-boot\n- cryptsetup\n- debug\n- getty\n- zram","shortMessageHtmlLink":"Add policy for second batch of generators"}},{"before":"feb2379d4674d065dbcabe8b342c731954930536","after":null,"ref":"refs/tags/v20.21","pushedAt":"2024-05-30T20:40:12.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"}},{"before":"40b6a48815be606c9c0f4fef38606faf233beda0","after":"feb2379d4674d065dbcabe8b342c731954930536","ref":"refs/heads/rawhide","pushedAt":"2024-05-30T20:07:25.000Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add policy for a generic generator\n\nAll systemd system generators which do not have a particular type\nassigned will now be executed in the systemd_generic_generator_t domain\ninstead of init_t.","shortMessageHtmlLink":"Add policy for a generic generator"}},{"before":"1f7f05d908f1c93939d7eed9f24a826b0f3ae723","after":"40b6a48815be606c9c0f4fef38606faf233beda0","ref":"refs/heads/rawhide","pushedAt":"2024-05-30T15:47:08.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"ci: Adjust Cockpit test plans\n\nCockpit recently reorganized its fmf test plans to better balance the\ntest durations [1]. Follow suit.\n\nIt would be really nice to have https://github.com/teemtee/tmt/issues/1770\nto avoid this duplication..\n\nhttps://github.com/cockpit-project/cockpit/commit/18814b60c97cbbba","shortMessageHtmlLink":"ci: Adjust Cockpit test plans"}},{"before":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","after":null,"ref":"refs/tags/v40.20","pushedAt":"2024-05-20T05:54:11.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"}},{"before":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","after":"1f7f05d908f1c93939d7eed9f24a826b0f3ae723","ref":"refs/heads/rawhide","pushedAt":"2024-05-20T05:52:48.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow journald read systemd config files and directories\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(1716124222.645:387): avc:  denied  { read } for  pid=7051 comm=\"systemd-journal\" name=\"journald.conf\" dev=\"dm-0\" ino=3408555 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0\n\nResolves: rhbz#2281489","shortMessageHtmlLink":"Allow journald read systemd config files and directories"}},{"before":"8881cafd24a0b311a46218699bcd3c928ecc1dc3","after":"84ed7c93d8085f679e5c0ad873b0f8641ad78ff4","ref":"refs/heads/rawhide","pushedAt":"2024-05-19T20:22:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow systemd_domain read systemd_conf_t dirs\n\nWith the 98d767358ccf (\"Label systemd configuration files with\nsystemd_conf_t\") commit, new file type was introduced for systemd\nconfiguration files and read access was allowed to systemd_domain\nfor files and symlinks and search for directories. Since this commit,\nalso permissions to list directories are allowed.\n\nThe commit addresses the following AVC denial:\ntype=AVC msg=audit(05/18/2024 13:05:44.500:53) : avc:  denied  { read } for  pid=727 comm=systemd-resolve name=resolved.conf.d dev=\"dm-0\" ino=715865 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=dir permissive=0\ntype=SYSCALL msg=audit(05/18/2024 13:05:44.500:53) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7f554f13a438 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=727 auid=unset uid=systemd-resolve gid=systemd-resolve euid=systemd-resolve suid=systemd-resolve fsuid=systemd-resolve egid=systemd-resolve sgid=systemd-resolve fsgid=systemd-resolve tty=(none) ses=unset comm=systemd-resolve exe=/usr/lib/systemd/systemd-resolved subj=system_u:system_r:systemd_resolved_t:s0 key=(null)\ntype=PATH msg=audit(05/18/2024 13:05:44.500:53) : item=0 name=. inode=715865 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0","shortMessageHtmlLink":"Allow systemd_domain read systemd_conf_t dirs"}},{"before":"7c32f5dc2ac1b97b1a5878362df105a682ef7765","after":"8881cafd24a0b311a46218699bcd3c928ecc1dc3","ref":"refs/heads/rawhide","pushedAt":"2024-05-19T20:22:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Fix bad Python regexp escapes\n\nPython 3.12 started warning about such escapes. Use r\"\" to suppress\nthe warning.","shortMessageHtmlLink":"Fix bad Python regexp escapes"}},{"before":"43430bde4bcabe5bbf52bdb1443b4710d8b64c35","after":"7c32f5dc2ac1b97b1a5878362df105a682ef7765","ref":"refs/heads/rawhide","pushedAt":"2024-05-18T21:31:18.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow fido services connect to postgres database\n\nThe commit addresses the following AVC denial and subsequently raised ones:\ntype=PROCTITLE msg=audit(03/12/2024 00:43:15.243:1724) : proctitle=/usr/libexec/fdo/fdo-rendezvous-server\ntype=SYSCALL msg=audit(03/12/2024 00:43:15.243:1724) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0xa a1=0x7f3bd0009e60 a2=0x10 a3=0x7f3be1d9b100 items=0 ppid=1 pid=24579 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=r2d2-worker-0 exe=/usr/libexec/fdo/fdo-rendezvous-server subj=system_u:system_r:fdo_t:s0 key=(null)\ntype=AVC msg=audit(03/12/2024 00:43:15.243:1724) : avc:  denied  { name_connect } for  pid=24579 comm=r2d2-worker-0 dest=5432 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=1","shortMessageHtmlLink":"Allow fido services connect to postgres database"}},{"before":"85f2db436811030565cd4e9f65c2b608cc376d5f","after":"750db5ab9d7e074156b1daf8e2a8ecd5facc3d9b","ref":"refs/heads/c10s","pushedAt":"2024-05-17T22:32:55.000Z","pushType":"pr_merge","commitsCount":9,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow logwatch read logind sessions files\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(03/20/2024 10:36:55.005:657) : proctitle=uptime\ntype=PATH msg=audit(03/20/2024 10:36:55.005:657) : item=0 name=/run/systemd/sessions/ inode=81 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_sessions_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(03/20/2024 10:36:55.005:657) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f18e19bb970 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=2011 pid=2012 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=uptime exe=/usr/bin/uptime subj=system_u:system_r:logwatch_t:s0 key=(null)\ntype=AVC msg=audit(03/20/2024 10:36:55.005:657) : avc:  denied  { read } for  pid=2012 comm=uptime name=sessions dev=\"tmpfs\" ino=81 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=0\n\nResolves: RHEL-30441","shortMessageHtmlLink":"Allow logwatch read logind sessions files"}},{"before":"00825fd7ef3d3c10163c953d7737c0297f7c8ced","after":"43430bde4bcabe5bbf52bdb1443b4710d8b64c35","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T22:21:34.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Revert \"Update the README.md file with the c10s branch information\"\n\nThis reverts commit 00825fd7ef3d3c10163c953d7737c0297f7c8ced.","shortMessageHtmlLink":"Revert \"Update the README.md file with the c10s branch information\""}},{"before":"0ed7e9a797ca5be979a5b0b3e626efd775004851","after":"00825fd7ef3d3c10163c953d7737c0297f7c8ced","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T21:25:19.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update the README.md file with the c10s branch information\n\nThe c10s branch was created in fedora-selinux/selinux-policy to allow\ncontributors work on selinux policy updates for Centos 10 stream\nseamlessly.","shortMessageHtmlLink":"Update the README.md file with the c10s branch information"}},{"before":"bd6c524b11eaa3129789c40efd989c48e84f5ce7","after":"0ed7e9a797ca5be979a5b0b3e626efd775004851","ref":"refs/heads/rawhide","pushedAt":"2024-05-17T20:30:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow postfix smtpd map aliases file\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(05/16/2024 11:58:56.019:602) : proctitle=smtpd -n smtp -t inet -u -s 2\ntype=MMAP msg=audit(05/16/2024 11:58:56.019:602) : fd=12 flags=MAP_SHARED\ntype=SYSCALL msg=audit(05/16/2024 11:58:56.019:602) : arch=x86_64 syscall=mmap success=yes exit=139799220453376 a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=8078 pid=8866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)\ntype=AVC msg=audit(05/16/2024 11:58:56.019:602) : avc:  denied  { map } for  pid=8866 comm=smtpd path=/etc/aliases.lmdb dev=\"vda2\" ino=2316284 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=1\n\nResolves: RHEL-35544","shortMessageHtmlLink":"Allow postfix smtpd map aliases file"}},{"before":"d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455","after":"85f2db436811030565cd4e9f65c2b608cc376d5f","ref":"refs/heads/c10s","pushedAt":"2024-05-17T19:38:57.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Update the README.md file with the c10s branch information\n\nThe c10s branch was created in fedora-selinux/selinux-policy to allow\ncontributors work on selinux policy updates for Centos 10 stream\nseamlessly.","shortMessageHtmlLink":"Update the README.md file with the c10s branch information"}},{"before":null,"after":"d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455","ref":"refs/heads/c10s","pushedAt":"2024-05-17T18:43:45.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Only allow confined user domains to login locally without unconfined_login\n\nBefore, local_login_t could transition to all userdomain types,\nincluding unconfined_t, regardless of the unconfined_login boolean\nstate.\n\nThis patch allows this unconditional access only to confined user\ndomains. Transition to unconfined_t is already handled elsewhere.\n\nResolves: RHEL-1628","shortMessageHtmlLink":"Only allow confined user domains to login locally without unconfined_…"}},{"before":"4188842590c2d66f321a4fb62fa42093d37b7d1c","after":"f81c762b515ed1263ff63766afada4f590642dad","ref":"refs/heads/c9s","pushedAt":"2024-05-16T15:49:18.000Z","pushType":"pr_merge","commitsCount":9,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Add boolean qemu-ga to run unconfined script\n\nResolves: RHEL-31211","shortMessageHtmlLink":"Add boolean qemu-ga to run unconfined script"}},{"before":"98d767358ccf7c484c7ae50c43c71c86accbd6b7","after":"bd6c524b11eaa3129789c40efd989c48e84f5ce7","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T14:01:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Ensure dbus communication is allowed bidirectionally\n\nIn some interfaces, only one-way communication over dbus is allowed.\nThis is not correct, it may result in timeouting the dbus request or\nresponse and possibly also make the service, which uses dbus\ncommunication, fail.","shortMessageHtmlLink":"Ensure dbus communication is allowed bidirectionally"}},{"before":"c7eaa7fd99e7c46a17656785b0f113e4d0f29d92","after":"98d767358ccf7c484c7ae50c43c71c86accbd6b7","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T14:00:40.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Label systemd configuration files with systemd_conf_t\n\nThe systemd_conf_t type was added as default file context for plain\nfiles with the .conf suffix, for .conf.d directories in /etc/systemd,\n/run/systemd, and /usr/lib/systemd, and for plain files and symlinks\nin those directories. The /usr/local/lib/systemd directory is a subject\nof file equivalency rules.\nThe systemd_domain attribute was allowed read access to these files.\n\nRefer to https://github.com/systemd/systemd/blob/main/NEWS\nCHANGES WITH 256-rc1:\nGeneral Changes and New Features:\n\n        * Various programs will now attempt to load the main configuration file\n          from locations below /usr/lib/, /usr/local/lib/, and /run/, not just\n          below /etc/. For example, systemd-logind will look for\n          /etc/systemd/logind.conf, /run/systemd/logind.conf,\n          /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,\n          and use the first file that is found.  This means that the search\n          logic for the main config file and for drop-ins is now the same.\n\nResolves: rhbz#2279923","shortMessageHtmlLink":"Label systemd configuration files with systemd_conf_t"}},{"before":"08d8b6c49e6871bff04a8ea1e0c917335bb9a682","after":"c7eaa7fd99e7c46a17656785b0f113e4d0f29d92","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T13:59:27.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow sysadm execute dmidecode using sudo\n\nWhen an unprivileged user in the sysadm_r role executes dmidecode\nthrough sudo, it transitions into sysadm_sudo_t domain by default.\nWith this commit, the process transitions to dmidecode_t.\n\nResolves: RHEL-16104","shortMessageHtmlLink":"Allow sysadm execute dmidecode using sudo"}},{"before":"01507d2fe7c62f7710e0b0a81141de244ed1ca39","after":"08d8b6c49e6871bff04a8ea1e0c917335bb9a682","ref":"refs/heads/rawhide","pushedAt":"2024-05-16T13:57:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"zpytela","name":"Zdeněk Pytela","path":"/zpytela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16078627?s=80&v=4"},"commit":{"message":"Allow setroubleshootd get attributes of all sysctls\n\nThe commit addresses the following AVC denial:\ntype=PROCTITLE msg=audit(04/24/2024 20:21:11.708:1626) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f\ntype=PATH msg=audit(04/24/2024 20:21:11.708:1626) : item=0 name=/proc/sys/vm/max_map_count inode=137784 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0\ntype=SYSCALL msg=audit(04/24/2024 20:21:11.708:1626) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f799d8a8ad0 a2=0x7f799d881050 a3=0x0 items=1 ppid=1 pid=65298 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null)\ntype=AVC msg=audit(04/24/2024 20:21:11.708:1626) : avc:  denied  { getattr } for  pid=65298 comm=setroubleshootd path=/proc/sys/vm/max_map_count dev=\"proc\" ino=137784 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0\n\nResolves: RHEL-34078","shortMessageHtmlLink":"Allow setroubleshootd get attributes of all sysctls"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEXF5spwA","startCursor":null,"endCursor":null}},"title":"Activity · fedora-selinux/selinux-policy"}