* Tue Jun 30 2026 Zdenek Pytela <zpytela@redhat.com> - 45.8-1
- Include key_socket in socket_class_set
- Remove 14 permissive domains
- ci: Run cockpit-machines tests in PRs
- Remove the lockdown class from the policy

* Fri Jun 26 2026 Zdenek Pytela <zpytela@redhat.com> - 45.7-1
- Allow systemd-logind the sys_ptrace capability in the user namespace
- Allow systemd-sleep the perfmon capability
- Allow sshd_session_t dyntransition to sftpd_t
- Allow lttng kernel tracing
- Allow loadkeys create and use its private tmpfs files
- Allow journald create and use netlink_tcpdiag_socket
- Fix typo in the comment of build.conf
- Allow gpg_pinentry_t to write session dbus socket files

* Mon Jun 22 2026 Zdenek Pytela <zpytela@redhat.com> - 45.6-1
- Allow systemd-hostnamed read hwdb files
- Allow systemd-machined to manage nspawn runtime directory
- Allow pcm-sensor-server the sys_admin capability
- Allow nut/upsmon read nut_conf_t symlinks
- Support new sanlock features - using libdm and SG_IO
- Allow thumb_t mount proc filesystem
- Allow aide connect to the GDM userdb provider socket
- Allow postfix_postdrop_t/system_mail_t append to init unix domain stream sockets
- Allow nfsd_t to create netlink_generic_socket (bsc#1267826)

* Fri Jun 12 2026 Zdenek Pytela <zpytela@redhat.com> - 45.5-1
- Add anaconda_ioctl_fifo_files_install() and anaconda_write_fifo_files_install()
- Allow install_t domain transition to insights_client_t
- Allow staff user mounton /var/lib dirs
- Allow systemd-coredump signull container runtime
- Allow blueman get the attributes of a tmpfs filesystem
- portage_compile_domain: Require xdm_xserver_tmp_t type
- Add missing interface requirements
- Dontaudit virt_driver_domain execmem
- fixed file after comment from zpytela.
- added caddy related paths.
- Remove extra parameters from interface headers
- Update bootupd policy for running lsblk
- Allow pcscd_t to search cgroup

* Thu Jun 04 2026 Zdenek Pytela <zpytela@redhat.com> - 45.4-1
- Update dbus_role_template() with communication over unix dgram socket
- Allow staff user read nsfs files
- Allow staff user additional sandboxing permissions
- Dontaudit sa-update perfmon and sys_admin capabilities
- packit: Stop notifying martinpitt for Cockpit test failures
- Allow the kernel to execute also special files
- Bring back execmem permission for svirt_tcg_t
- Dontaudit tlp_t requesting dac_read_search (bsc#1265386)
- Leave content of virtqemud_use_execmem empty
- Dontaudit libvirt-daemons execmem
- Allow virtstoraged to setattr fixed disk devices
- Dontaudit ksmtuned dac_read_search and dac_override capabilities
- Remove unused hypervkvp_unit_file_t
- Allow mock create and use its private tmpfs files
- Allow samba-bgqd send to nmbd over a unix datagram socket
- Dontaudit apcupsd dac_override (bsc#1261232)
- Allow virtqemud_t to call and transition into udev

* Wed May 20 2026 Rachel Menge <rlmenge@gmail.com> - 45.3-2
- Remove deprecated checkreqprot tmpfiles write in selinux-policy.conf

* Mon May 18 2026 Zdenek Pytela <zpytela@redhat.com> - 45.3-1
- Allow sys_resource on execution of generic executables conditionally
- Label bootloader-migrate-generator with coreos_bootloader_migrate_generator_exec_t
- Label /run/coreos with coreos_installer_var_run_t
- Add systemd_create_generator_unit_file() and systemd_write_generator_unit_file()
- Allow virtnwfilterd_t r/w on packet_socket (bsc#1264273)
- Update fstools swap interfaces with dir search
- Allow go-fdo-server to read system information
- Add missing fc rule for org.gnome.DisplayManager (bsc#1264182)
- config: make /etc/systemd/user same as /usr/lib/systemd/user
- Do not audit iptables attempts to read other process state
- Policy for go-fdo-server
- Allow setroubleshoot_fixit_t to touch /.autorelabel and reboot

* Mon Apr 27 2026 Zdenek Pytela <zpytela@redhat.com> - 45.2-1
- Allow init nnp domain transition do dirsrv_t and dirsrv_snmp_t
- Allow NetworkManager_dispatcher_nvme_t check status of systemd services
- Allow iptables_t read state of some processes
- Label /dev/HID-SENSOR-.* with hid_sensor_device_t
- Allow thump_t setattr on thumb_tmp_t lnk_files
- Allow accounts-daemon read accountsd_share_t symlinks
- Label /usr/bin/sudo-rs and /usr/bin/su-rs
- Allow gpsd the setcap process capability

* Mon Apr 20 2026 Zdenek Pytela <zpytela@redhat.com> - 45.1-1
- Do not backslash-escape underscores in file context specifications
- Allow systemd_homework_t to delete systemd_homed_record_t dirs (bsc#1261359)
- Allow sshd-auth/sshd-session get attributes of their sshd parent
- Allow systemd-tmpfiles to adjust resource limits
- Allow logwatch to getattr nsfs files
- Allow xdm dbus chat with rhsmcertd
- Allow dhcpc_hook_t unix_dgram_socket and module_request
- Allow accountsd list accountsd_share_t dirs
- Allow cloud init to domtrans into ssh keygen (bsc#1249964)

* Wed Apr 08 2026 Vit Mojzis <vmojzis@redhat.com> - 43.6-2
- Advertise ownership of DPS-related file paths
- Remove trigger{in|preun} triggers for binsbin and varrun
- Rebuild policy before running {binsbin|varrun}-convert.sh
- Use docdir for documentation data directory
- Move the awk post-requires to the minimum subpackage
- Fix disabling modules in "%post minimum"

* Fri Apr 03 2026 Zdenek Pytela <zpytela@redhat.com> - 43.6-1
- Allow accountsd dbus chat with systemd-homed
- Allow accountsd read accountsd_share_t files
- Fix file context specification for /usr/share/accountsservice
- Allow xdm_exec_t be an entrypoint of login_userdomain
- Allow sshd-session send a generic signal to sshd-auth
- Allow virtnetworkd get attributes of filesystems with extended attributes
- Allow Polkit to get attributes of user terminals
- Allow nfsidmap connect to xdm over a unix stream socket

* Thu Apr 02 2026 Zdenek Pytela <zpytela@redhat.com> - 43.5-1
- Allow virtnetworkd get attributes of filesystems with extended attributes
- Allow Polkit to get attributes of user terminals
- Allow nfsidmap connect to xdm over a unix stream socket
- Label /usr/share/accountsservice with accountsd_share_t
- Allow systemd-resolved write to systemd-networkd socket
- Dontaudit setroubleshootd read root's home files like .rpmmacros
- Support sandboxing features for sysadm_t
- Allow unconfined_t mounton on itself (bsc#1261035)

* Tue Mar 31 2026 Zdenek Pytela <zpytela@redhat.com> - 43.4-2
- Remove unnecessary dependencies

* Fri Mar 27 2026 Zdenek Pytela <zpytela@redhat.com> - 43.4-1
- update support for polkit agent helper (bsc#1251931)
- Add auth_nnp_domtrans_chkpwd()
- Allow staff_sudo_t read PID1's process state
- Allow staff_sudo_t read logind sessions files
- Allow nfs-server system generator the dac_read_search capability
- Allow snmpd create and use netlink tcpdiag socket
- Allow systemd-coredump signull containers
- Allow named_filetrans_domain filetrans flatpak homedir (bsc#1253682)
- Dontaudit logrotate perfmon and sys_admin capabilities
- Allow samba-bgqd sendto over a unix dgram socket

* Mon Mar 23 2026 Zdenek Pytela <zpytela@redhat.com> - 43.3-1
- Move interfaces from other modules to optional block

* Sat Mar 21 2026 Zdenek Pytela <zpytela@redhat.com> - 43.2-1
- Allow fedoratp_exec_t be an entrypoint of unconfined_t
- Allow rasdaemon_t to list pstore (bsc#1259742)
- Allow virtqemud_t send kill signal to svirt_tcg_t
- Allow virtqemud_t get priority of a svirt_t process
- Allow sysadm user connect to lvm over a unix stream socket
- Allow staff user delete thump_tmp_t files
- Allow staff user connect to systemd-logind over a unix stream socket
- Allow staff user mount /proc
- Allow virtqemud map vhost net device
- Dontaudit ps to read proc (bsc#1257527)
- Allow dovecot_deliver_t map its private tmp files
- Allow rpcbind get attributes of the pidfs filesystem
- Fix names in mysql.if
- Allow create kerberos files in mysql db home
- Allow systemd-resolved connect to systemd-networkd over a unix stream socket

* Tue Mar 10 2026 Zdenek Pytela <zpytela@redhat.com> - 43.1-1
- Allow redis_t to create netlink_rdma_socket
- Allow systemd create symlinks in /run/varlink/registry
- Support hooks in /run/systemd/resolve.hook
- Allow virtlogd_t dac_override for virtlock (bsc#1253389)
- Allow mdadm use modprobe (bsc#1257793)
- Allow systemd-mountfsd the perfmon capability
- Allow lttng tracing in default configuration
- Allow rtkit-daemon write systemd inhibit pipes
- Apply the systemd system generator template to the kdump-dep generator
- Apply the systemd system generator template to the anaconda generator

* Thu Mar 05 2026 Zdenek Pytela <zpytela@redhat.com> - 42.25-1
- Dontaudit ps permissions that tlp_t does not need (bsc#1257527)
- TLP uses ps aux to check for different services (bsc#1257527)
- Introduce separate types for generic systemd generators.
- Confine system generator nm-initrd-generator.sh (bsc#1257754)
- Allow rtkit-daemon dbus chat with systemd-logind
- ecryptfs uses /home/.ecryptfs for full homedir encryption (bsc#1258350)
- Dontaudit tlshd write generic certificate dirs
- Allow systemd-coredump the kill capability in the user namespace
- Allow NetworkManager list bpf directories
- Allow virtnodedevd the dac_read_search capability
- Allow pkcsslotd read files in /proc and /sys
- Allow pkcsslotd map its private tmpfs files
- Allow dovecoth-auth to connect to systemd-logind over a unix socket
- Allow tlshd write generic certificate dirs

* Fri Feb 13 2026 Zdenek Pytela <zpytela@redhat.com> - 42.24-1
- Allow mdadm to use CAP_BPF during RAID monitoring
- Allow rhsmcertd read anaconda run files
- Allow rpc.mountd setuid and setgid capabilities
- Use kernel_dgram_send() for systemd_notify_t
- Allow lttng-sessiond to use sd_notify
- Label /etc/aliases.cdb with etc_aliases_t
- Add aliases.lmdb to mta_filetrans_named_content()
- Update gpg_role() interface with unix_stream_socket permissions
- Allow systemd-hostnamed to create its Varlink socket

* Wed Feb 04 2026 Zdenek Pytela <zpytela@redhat.com> - 42.23-1
- Allow thumbnailer mount on fonts cache directories
- Support confined users usage of bubblewrap
- Allow vdagent get attributes of the pidfs filesystem
- Allow sshd-session inherit limits from its parent sshd process
- Revert "Allow sshd-session inherit limits from its parent process"
- Allow sshd-session read network sysctls
- Add the fs_write_tmpfs_files() interface
- Update gpg policy for interactions with rhc-playbook-verifier
- Allow rhc_playbook_verifier_t stream connect to itself
- Update policy for rhc-worker-playbook
- Allow sudodomain connect to gkeyringd over a unix stream socket
- Allow tlshd communication to unconfined_t over a tcp socket
- Allow tlshd write generic certificates
- Allow thumbnailer connect to abrt over a unix stream socket

* Fri Jan 23 2026 Zdenek Pytela <zpytela@redhat.com> - 42.22-1
- Allow thumb_t stream connect to systemd-machined
- Allow thumb_t stream connect to systemd-homed
- Allow aide get attributes of tmpfs and devtmpfs filesystems
- Allow sshd noatsecure on sshd-session execution
- Confine rhc-worker-playbook.worker and rhc-playbook-verifier
- Allow kernel_t to read/write all domains' pipes
- Allow domain read sysfs files
- allow abrt_dump_oops to write to init sockets
- Add insights_client service interfaces
- Allow plasma login manager stop login services
- Allow NM nvme dispatcher script start systemd services

* Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 42.21-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
