Linux repositories inspector

selinux-policy-sandbox - SELinux policy sandbox

SELinux sandbox policy used for the policycoreutils-sandbox package
3.14.5
Fedora iconFedora rawhide
3.14.3
Fedora iconFedora 30
3.14.2
Fedora iconFedora 29
3.14.1
Fedora iconFedora 28
3.13.1
CentOS iconCentOS 7.6.1810
DistributionVersionSincePackageInstalledPackager
CentOS iconCentOS 7.6.1810 atomicrpm3.13.1-63.atomic.el7.7Jan 23380 kiB7.53 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 crrpm3.13.1-252.el7.1Sep 10496 kiB82.4 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 crrpm3.13.1-252.el7Aug 30495 kiB82.4 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 osrpm3.13.1-229.el7Jan 14486 kiB82.2 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 updatesrpm3.13.1-229.el7_6.9Feb 01487 kiB82.2 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 updatesrpm3.13.1-229.el7_6.6Jan 14487 kiB82.2 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 updatesrpm3.13.1-229.el7_6.5Jan 14487 kiB82.2 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 updatesrpm3.13.1-229.el7_6.15Jul 31488 kiB82.2 kiBCentOS BuildSystem
CentOS iconCentOS 7.6.1810 updatesrpm3.13.1-229.el7_6.12Jun 17488 kiB82.2 kiBCentOS BuildSystem
Fedora iconFedora 28 releases/Everything-osrpm3.14.1-21.fc28Jan 14541 kiB83.8 kiBFedora Project
Fedora iconFedora 29 releases/Everything-osrpm3.14.2-40.fc29Jan 14115 kiB84 kiBFedora Project
Fedora iconFedora 29 releases-test/Everything-osrpm3.14.2-34.fc29Jan 14114 kiB84 kiBFedora Project
Fedora iconFedora 30 releases/Everything-osrpm3.14.3-29.fc30Jun 17121 kiB84.4 kiBFedora Project
Fedora iconFedora rawhide development/Everything-osrpm3.14.5-18.fc32Nov 29125 kiB84.4 kiBFedora Project

Latest updates

Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-17.fc32 to 3.14.5-18.fc32

Nov 29
  • Allow systemd to read all proc
  • Introduce new type pdns_var_lib_t
  • Allow zebra_t domain to read files labled as nsfs_t.
  • Allow systemd to setattr on all device_nodes
  • Allow systemd to mounton and list all proc types
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-16.fc32 to 3.14.5-17.fc32

Nov 28
  • Fix nonexisting types in rtas_errd_rw_lock interface
  • Allow snmpd_t domain to trace processes in user namespace
  • Allow timedatex_t domain to read relatime clock and adjtime_t files
  • Allow zebra_t domain to execute zebra binaries
  • Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
  • Allow ksmtuned_t domain to trace processes in user namespace
  • Allow systemd to read symlinks in /var/lib
  • Update dev_mounton_all_device_nodes() interface
  • Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
  • Allow systemd_domain to map files in /usr.
  • Allow strongswan start using swanctl method BZ(1773381)
  • Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-15.fc32 to 3.14.5-16.fc32

Nov 26
  • Allow timedatex_t domain dbus chat with both confined and unconfined users
  • Allow timedatex_t domain dbus chat with unconfined users
  • Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
  • Make unconfined domains part of domain_named_attribute
  • Label tcp ports 24816,24817 as pulp_port_t
  • Remove duplicate entries for initrc_t in init.te
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-12.fc32 to 3.14.5-15.fc32

Nov 16
  • Increase SELinux userspace version which should be required.
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-11.fc32 to 3.14.5-12.fc32

Nov 05
  • Label /var/cache/nginx as httpd_cache_t
  • Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
  • Created dnsmasq_use_ipset boolean
  • Allow capability dac_override in logwatch_mail_t domain
  • Allow automount_t domain to execute ping in own SELinux domain (ping_t)
  • Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
  • Allow collectd_t domain to create netlink_generic_socket sockets
  • Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
  • Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
  • Label /etc/postfix/chroot-update as postfix_exec_t
  • Update tmpreaper_t policy due to fuser command
  • Allow kdump_t domain to create netlink_route and udp sockets
  • Allow stratisd to connect to dbus
  • Allow fail2ban_t domain to create netlink netfilter sockets.
  • Allow dovecot get filesystem quotas
  • Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
  • Allow systemd-tmpfiles processes to set rlimit information
  • Allow cephfs to use xattrs for storing contexts
  • Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-10.fc32 to 3.14.5-11.fc32

Oct 27
  • Allow confined users to run newaliases
  • Add interface mysql_dontaudit_rw_db()
  • Label /var/lib/xfsdump/inventory as amanda_var_lib_t
  • Allow tmpreaper_t domain to read all domains state
  • Make httpd_var_lib_t label system mountdir attribute
  • Update cockpit policy
  • Update timedatex policy to add macros, more detail below
  • Allow nagios_script_t domain list files labled sysfs_t.
  • Allow jetty_t domain search and read cgroup_t files.
  • Donaudit ifconfig_t domain to read/write mysqld_db_t files
  • Dontaudit domains read/write leaked pipes
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-9.fc32 to 3.14.5-10.fc32

Oct 23
  • Update timedatex policy to add macros, more detail below
  • Allow nagios_script_t domain list files labled sysfs_t.
  • Allow jetty_t domain search and read cgroup_t files.
  • Allow Gluster mount client to mount files_type
  • Dontaudit and disallow sys_admin capability for keepalived_t domain
  • Update numad policy to allow signull, kill, nice and trace processes
  • Allow ipmievd_t to RW watchdog devices
  • Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
  • Allow user domains to manage user session services
  • Allow staff and user users to get status of user systemd session
  • Update sudo_role_template() to allow caller domain to read syslog pid files
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-8.fc32 to 3.14.5-9.fc32

Oct 12
  • Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-6.fc32 to 3.14.5-8.fc32

Oct 10
  • Update apache and pkcs policies to make active opencryptoki rules
  • Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-5.fc32 to 3.14.5-6.fc32

Oct 05
  • Update aide_t domain to allow this tool to analyze also /dev filesystem
  • Allow bitlbee_t domain map files in /usr
  • Allow stratisd to getattr of fixed disk device nodes
  • Add net_broadcast capability to openvswitch_t domain BZ(1716044)
  • Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
  • Allow cobblerd_t domain search apache configuration dirs
  • Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
  • Label /var/log/collectd.log as collectd_log_t
  • Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
  • Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
  • networkmanager: allow NetworkManager_t to create bluetooth_socket
  • Fix ipa_custodia_stream_connect interface
  • Add new interface udev_getattr_rules_chr_files()
  • Make dbus-broker service working on s390x arch
  • Add new interface dev_mounton_all_device_nodes()
  • Add new interface dev_create_all_files()
  • Allow systemd(init_t) to load kernel modules
  • Allow ldconfig_t domain to manage initrc_tmp_t objects
  • Add new interface init_write_initrc_tmp_pipes()
  • Add new interface init_manage_script_tmp_files()
  • Allow xdm_t setpcap capability in user namespace BZ(1756790)
  • Allow x_userdomain to mmap generic SSL certificates
  • Allow xdm_t domain to user netlink_route sockets BZ(1756791)
  • Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
  • Allow sudo userdomain to run rpm related commands
  • Add sys_admin capability for ipsec_t domain
  • Allow systemd_modules_load_t domain to read systemd pid files
  • Add new interface init_read_pid_files()
  • Allow systemd labeled as init_t domain to manage faillog_t objects
  • Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
  • Make ipa_custodia policy active
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-3.fc32 to 3.14.5-5.fc32

Sep 21
  • Fix ipa_custodia_stream_connect interface
  • Allow systemd_modules_load_t domain to read systemd pid files
  • Add new interface init_read_pid_files()
  • Allow systemd labeled as init_t domain to manage faillog_t objects
  • Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.5-2.fc32 to 3.14.5-3.fc32

Sep 16
  • Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
  • Allow gssproxy_t domain read state of all processes on system
  • Fix typo in cachefilesd module
  • Allow cachefilesd_t domain to read/write cachefiles_device_t devices
  • Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
  • Add sys_admin capability for keepalived_t labeled processes
  • Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
  • Create new type ipmievd_helper_t domain for loading kernel modules.
  • Run stratisd service as stratisd_t
  • Fix abrt_upload_watch_t in abrt policy
  • Update keepalived policy
  • Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
  • Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
  • Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
  • Allow amanda_t to manage its var lib files and read random_device_t
  • Create admin_crontab_t and admin_crontab_tmp_t types
  • Add setgid and setuid capabilities to keepalived_t domain
  • Update cron_role() template to accept third parameter with SELinux domain prefix
  • Allow psad_t domain to create tcp diag sockets BZ(1750324)
  • Allow systemd to mount fwupd_cache_t BZ(1750288)
  • Allow chronyc_t domain to append to all non_security files
  • Update zebra SELinux policy to make it work also with frr service
  • Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
  • Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
  • Label /var/run/mysql as mysqld_var_run_t
  • Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
  • Update timedatex policy to manage localization
  • Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
  • Update gnome_dontaudit_read_config
  • Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
  • Allow systemd labeled as init_t domain to remount rootfs filesystem
  • Add interface files_remount_rootfs()
  • Dontaudit sys_admin capability for iptables_t SELinux domain
  • Label /dev/cachefilesd as cachefiles_device_t
  • Make stratisd policy active
  • Allow userdomains to dbus chat with policykit daemon
  • Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
  • New interface files_append_non_security_files()
  • Label 2618/tcp and 2618/udp as priority_e_com_port_t
  • Label 2616/tcp and 2616/udp as appswitch_emp_port_t
  • Label 2615/tcp and 2615/udp as firepower_port_t
  • Label 2610/tcp and 2610/udp as versa_tek_port_t
  • Label 2613/tcp and 2613/udp as smntubootstrap_port_t
  • Label 3784/tcp and 3784/udp as bfd_control_port_t
  • Remove rule allowing all processes to stream connect to unconfined domains
CentOS 7.6.1810 icon

CentOS 7.6.1810 cr: Updated from 3.13.1-252.el7 to 3.13.1-252.el7.1

Sep 10
  • Allow ganesha_t domain to connect to tcp portmap_port_t
Resolves: rhbz#1715088
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-31.fc32 to 3.14.5-2.fc32

Sep 07
  • Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
  • Dontaudit sandbox web types to setattr lib_t dirs
  • Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
  • Allow haproxy_t domain to read network state of system
  • Allow processes labeled as keepalived_t domain to get process group
  • Introduce dbusd_unit_file_type
  • Allow pesign_t domain to read/write named cache files.
  • Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
  • Allow httpd_t domain to read/write named_cache_t files
  • Add new interface bind_rw_cache()
  • Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
  • Update cpucontrol_t SELinux policy
  • Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
  • Run lldpd service as lldpad_t.
  • Allow spamd_update_t domain to create unix dgram sockets.
  • Update dbus role template for confined users to allow login into x session
  • Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
  • Fix typo in networkmanager_append_log() interface
  • Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
  • Allow login user type to use systemd user session
  • Allow xdm_t domain to start dbusd services.
  • Introduce new type xdm_unit_file_t
  • Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
  • Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
  • Allow ipsec_t domain to read/write named cache files
  • Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
  • Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
  • Label udp 8125 port as statsd_port_t
CentOS 7.6.1810 icon

CentOS 7.6.1810 cr: Version 3.13.1-252.el7 introduced

Aug 30
  • Allow ganesha_t domain to connect to tcp portmap_port_t
Resolves: rhbz#1715088
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-29.fc31 to 3.14.4-31.fc32

Aug 20
  • Update timedatex policy BZ(1734197)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-28.fc31 to 3.14.4-29.fc31

Aug 08
  • Allow dlm_controld_t domain setgid capability
  • Fix SELinux modules not installing in chroots.
Resolves: rhbz#1665643
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-27.fc31 to 3.14.4-28.fc31

Aug 07
  • Allow systemd to create and bindmount dirs. BZ(1734831)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-26.fc31 to 3.14.4-27.fc31

Aug 06
  • Allow tlp domain run tlp in trace mode BZ(1737106)
  • Make timedatex_t domain system dbus bus client BZ(1737239)
  • Allow cgdcbxd_t domain to list cgroup dirs
  • Allow systemd to create and bindmount dirs. BZ(1734831)
Fedora rawhide icon

Fedora rawhide development/Everything-os: Updated from 3.14.4-25.fc31 to 3.14.4-26.fc31

Aug 03
  • New policy for rrdcached
  • Allow dhcpd_t domain to read network sysctls.
  • Allow nut services to communicate with unconfined domains
  • Allow virt_domain to Support ecryptfs home dirs.
  • Allow domain transition lsmd_t to sensord_t
  • Allow httpd_t to signull mailman_cgi_t process
  • Make rrdcached policy active
  • Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542
  • Allow machinectl to run pull-tar BZ(1724247)

Related packages

selinux - Security-Enhanced Linux runtime support
selinux-policy - SELinux policy configuration
⇧ Top