From 1449029ccde3a0b79167e8f9ed64f2607fdf9915 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2022 07:00:33 +0000 Subject: import selinux-policy-34.1.43-1.el9 --- diff --git a/.gitignore b/.gitignore index c3fab6b..da81579 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-58e2dc6.tar.gz +SOURCES/selinux-policy-23a8268.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 964340a..e4f9a4c 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,2 +1,2 @@ -acc296bd5037389e09d0ca1377a87c9a3fd5cf0b SOURCES/container-selinux.tgz -1872ae64b9e720e7d4a8a116daeb4cc4c25111ee SOURCES/selinux-policy-58e2dc6.tar.gz +2404b329e467495ccb771593ba306eb043932ffa SOURCES/container-selinux.tgz +6329655722127a03a53c33d3c02f72df4246e718 SOURCES/selinux-policy-23a8268.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 61f027d..923a23e 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2670,3 +2670,24 @@ ica = module # insights_client # insights_client = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum index 8207eed..66af860 100644 --- a/SOURCES/users-minimum +++ b/SOURCES/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SOURCES/users-mls b/SOURCES/users-mls index 05d2671..8fad9ea 100644 --- a/SOURCES/users-mls +++ b/SOURCES/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted index 8207eed..a875306 100644 --- a/SOURCES/users-targeted +++ b/SOURCES/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 2742f9c..599d8f4 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 58e2dc6a7fd54d8754afd6c1f7cd042fa36ec7af +%global commit 23a8268b99a25d662dda2ccbcf41d71e1d028fe9 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -19,12 +19,12 @@ %define BUILD_MLS 1 %endif %define POLICYVER 33 -%define POLICYCOREUTILSVER 3.3-5 +%define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 34.1.29 -Release: 1%{?dist}.2 +Version: 34.1.43 +Release: 1%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -139,6 +139,7 @@ and some additional files. %dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* +%exclude %{_usr}/share/selinux/devel/include/contrib/container.if %dir %{_datadir}/selinux/devel/html %{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*css @@ -584,7 +585,7 @@ fi exit 0 -%triggerin -- pcre +%triggerin -- pcre2 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB exit 0 @@ -793,69 +794,310 @@ exit 0 %endif %changelog -* Thu Aug 04 2022 Zdenek Pytela - 34.1.29-1.2 -- Allow insights-client rpm named file transitions -Resolves: rhbz#2106147 -- Add /var/tmp/insights-archive to insights_client_filetrans_named_content -Resolves: rhbz#2106147 -- Use insights_client_filetrans_named_content -Resolves: rhbz#2106147 -- Make default file context match with named transitions -Resolves: rhbz#2106147 -- Allow rhsmcertd to read insights config files -Resolves: rhbz#2106147 -- Label /etc/insights-client/machine-id -Resolves: rhbz#2106147 +* Thu Sep 08 2022 Zdenek Pytela - 34.1.43-1 +- Update rhcd policy for executing additional commands 5 +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 4 +Resolves: rhbz#2119351 +- Allow rhcd create rpm hawkey logs with correct label +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 3 +Resolves: rhbz#2119351 +- Allow sssd to set samba setting +Resolves: rhbz#2121125 +- Allow journalctl read rhcd fifo files +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution 5 +Resolves: rhbz#2121125 +- Confine insights-client systemd unit +Resolves: rhbz#2121125 +- Update insights-client policy for additional commands execution 4 +Resolves: rhbz#2121125 +- Update insights-client policy for additional commands execution 3 +Resolves: rhbz#2121125 +- Allow rhcd execute all executables +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 2 +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution 2 +Resolves: rhbz#2121125 + +* Mon Aug 29 2022 Zdenek Pytela - 34.1.42-1 +- Label /var/log/rhc-worker-playbook with rhcd_var_log_t +Resolves: rhbz#2119351 +- Update insights-client policy (auditctl, gpg, journal) +Resolves: rhbz#2107363 + +* Thu Aug 25 2022 Nikola Knazekova - 34.1.41-1 +- Allow unconfined domains to bpf all other domains +Resolves: RHBZ#2112014 +- Allow stalld get and set scheduling policy of all domains. +Resolves: rhbz#2105038 +- Allow unconfined_t transition to targetclid_home_t +Resolves: RHBZ#2106360 +- Allow samba-bgqd to read a printer list +Resolves: rhbz#2118977 +- Allow system_dbusd ioctl kernel with a unix stream sockets +Resolves: rhbz#2085392 +- Allow chronyd bind UDP sockets to ptp_event ports. +Resolves: RHBZ#2118631 +- Update tor_bind_all_unreserved_ports interface +Resolves: RHBZ#2089486 +- Remove permissive domain for rhcd_t +Resolves: rhbz#2119351 +- Allow unconfined and sysadm users transition for /root/.gnupg +Resolves: rhbz#2121125 +- Add gpg_filetrans_admin_home_content() interface +Resolves: rhbz#2121125 +- Update rhcd policy for executing additional commands +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution +Resolves: rhbz#2119507 +- Add rpm setattr db files macro +Resolves: rhbz#2119507 +- Add userdom_view_all_users_keys() interface +Resolves: rhbz#2119507 +- Allow gpg read and write generic pty type +Resolves: rhbz#2119507 +- Allow chronyc read and write generic pty type +Resolves: rhbz#2119507 + +* Wed Aug 10 2022 Nikola Knazekova - 34.1.40-1 +- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd +Resolves: RHBZ#2088257 +- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t +Resolves: RHBZ#1976684 +- Allow samba-bgqd get a printer list +Resolves: rhbz#2112395 +- Allow networkmanager to signal unconfined process +Resolves: RHBZ#2074414 +- Update NetworkManager-dispatcher policy +Resolves: RHBZ#2101910 +- Allow openvswitch search tracefs dirs +Resolves: rhbz#1988164 +- Allow openvswitch use its private tmpfs files and dirs +Resolves: rhbz#1988164 +- Allow openvswitch fsetid capability +Resolves: rhbz#1988164 + +* Tue Aug 02 2022 Nikola Knazekova - 34.1.39-1 +- Add support for systemd-network-generator +Resolves: RHBZ#2111069 +- Allow systemd work with install_t unix stream sockets +Resolves: rhbz#2111206 +- Allow sa-update to get init status and start systemd files +Resolves: RHBZ#2061844 + +* Fri Jul 15 2022 Nikola Knazekova - 34.1.38-1 +- Allow some domains use sd_notify() +Resolves: rhbz#2056565 +- Revert "Allow rabbitmq to use systemd notify" +Resolves: rhbz#2056565 +- Update winbind_rpcd_t +Resolves: rhbz#2102084 +- Update chronyd_pid_filetrans() to allow create dirs +Resolves: rhbz#2101910 +- Allow keepalived read the contents of the sysfs filesystem +Resolves: rhbz#2098130 +- Define LIBSEPOL version 3.4-1 +Resolves: rhbz#2095688 + +* Wed Jun 29 2022 Zdenek Pytela - 34.1.37-1 +- Allow targetclid read /var/target files +Resolves: rhbz#2020169 +- Update samba-dcerpcd policy for kerberos usage 2 +Resolves: rhbz#2096521 +- Allow samba-dcerpcd work with sssd +Resolves: rhbz#2096521 +- Allow stalld set scheduling policy of kernel threads +Resolves: rhbz#2102224 + +* Tue Jun 28 2022 Zdenek Pytela - 34.1.36-1 +- Allow targetclid read generic SSL certificates (fixed) +Resolves: rhbz#2020169 +- Fix file context pattern for /var/target +Resolves: rhbz#2020169 - Use insights_client_etc_t in insights_search_config() -Resolves: rhbz#2106147 -- Add the insights_search_config() interface -Resolves: rhbz#2106147 - -* Wed Jul 13 2022 Zdenek Pytela - 34.1.29-1.1 +Resolves: rhbz#1965013 + +* Fri Jun 24 2022 Zdenek Pytela - 34.1.35-1 +-Add the corecmd_watch_bin_dirs() interface +Resolves: rhbz#1965013 +- Update rhcd policy +Resolves: rhbz#1965013 +- Allow rhcd search insights configuration directories +Resolves: rhbz#1965013 +- Add the kernel_read_proc_files() interface +Resolves: rhbz#1965013 - Update insights_client_filetrans_named_content() -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Allow transition to insights_client named content -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Add the insights_client_filetrans_named_content() interface -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 3 -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Allow insights-client execute its private memfd: objects -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 2 -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Use insights_client_tmp_t instead of insights_client_var_tmp_t -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Change space indentation to tab in insights-client -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Use socket permissions sets in insights-client -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Allow init_t to rw insights_client unnamed pipe -Resolves: rhbz#2106147 -- Change rpm_setattr_db_files() to use a pattern -Resolves: rhbz#2106147 -- Add rpm setattr db files macro -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Fix insights client -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling -Resolves: rhbz#2106147 +Resolves: rhbz#2081425 +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +Resolves: rhbz#2081425 +- Allow stalld get scheduling policy of kernel threads +Resolves: rhbz#2096776 +- Update samba-dcerpcd policy for kerberos usage +Resolves: rhbz#2096521 +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +Resolves: rhbz#2096255 +- Allow dlm_controld send a null signal to a cluster daemon +Resolves: rhbz#2095884 +- Allow dhclient manage pid files used by chronyd +The chronyd_manage_pid_files() interface was added. +- Resolves: rhbz#2094155 +Allow install_t nnp_domtrans to setfiles_mac_t +- Resolves: rhbz#2073010 +- Allow rabbitmq to use systemd notify +Resolves: rhbz#2056565 +- Allow ksmctl create hardware state information files +Resolves: rhbz#2021131 +- Label /var/target with targetd_var_t +Resolves: rhbz#2020169 +- Allow targetclid read generic SSL certificates +Resolves: rhbz#2020169 + +* Thu Jun 09 2022 Zdenek Pytela - 34.1.34-1 +- Allow stalld setsched and sys_nice +Resolves: rhbz#2092864 +- Allow rhsmcertd to create cache file in /var/cache/cloud-what +Resolves: rhbz#2092333 +- Update policy for samba-dcerpcd +Resolves: rhbz#2083509 +- Add support for samba-dcerpcd +Resolves: rhbz#2083509 +- Allow rabbitmq to access its private memfd: objects +Resolves: rhbz#2056565 +- Confine targetcli +Resolves: rhbz#2020169 +- Add policy for wireguard +Resolves: 1964862 - Label /var/cache/insights with insights_client_cache_t -Resolves: rhbz#2106147 +Resolves: rhbz#2062136 +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +Resolves: rhbz#2094489 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +Resolves: rhbz#2081907 + +* Fri May 27 2022 Zdenek Pytela - 34.1.33-1 - Allow insights-client manage gpg admin home content -Resolves: rhbz#2106147 +Resolves: rhbz#2062136 - Add the gpg_manage_admin_home_content() interface -Resolves: rhbz#2106147 +Resolves: rhbz#2062136 +- Add rhcd policy +Resolves: bz#1965013 +- Allow svirt connectto virtlogd +Resolves: rhbz#2000881 +- Add ksm service to ksmtuned +Resolves: rhbz#2021131 +- Allow nm-privhelper setsched permission and send system logs +Resolves: rhbz#2053639 +- Update the policy for systemd-journal-upload +Resolves: rhbz#2085369 +- Allow systemd-journal-upload watch logs and journal +Resolves: rhbz#2085369 +- Create a policy for systemd-journal-upload +Resolves: rhbz#2085369 - Allow insights-client create and use unix_dgram_socket -Resolves: rhbz#2106147 +Resolves: rhbz#2087765 - Allow insights-client search gconf homedir -Resolves: rhbz#2106147 +Resolves: rhbz#2087765 + +* Wed May 11 2022 Zdenek Pytela - 34.1.32-1 +- Dontaudit guest attempts to dbus chat with systemd domains +Resolves: rhbz#2062740 +- Dontaudit guest attempts to dbus chat with system bus types +Resolves: rhbz#2062740 +- Fix users for SELinux userspace 3.4 +Resolves: rhbz#2079290 +- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template +Resolves: rhbz#2076681 +- Allow systemd-sleep get removable devices attributes +Resolves: rhbz#2082404 +- Allow systemd-sleep tlp_filetrans_named_content() +Resolves: rhbz#2082404 +- Allow systemd-sleep execute generic programs +Resolves: rhbz#2082404 +- Allow systemd-sleep execute shell +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to sysstat_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to tlp_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to unconfined_service_t on bin_t executables +Resolves: rhbz#2082404 +- allow systemd-sleep to set timer for suspend-then-hibernate +Resolves: rhbz#2082404 +- Add default fc specifications for patterns in /opt +Resolves: rhbz#2081059 +- Use a named transition in systemd_hwdb_manage_config() +Resolves: rhbz#2061725 + +* Wed May 04 2022 Nikola Knazekova - 34.1.31-2 +- Remove "v" from the package version + +* Mon May 02 2022 Nikola Knazekova - v34.1.31-1 +- Label /var/run/machine-id as machineid_t +Resolves: rhbz#2061680 - Allow insights-client create_socket_perms for tcp/udp sockets -Resolves: rhbz#2106147 +Resolves: rhbz#2077377 - Allow insights-client read rhnsd config files -Resolves: rhbz#2106147 +Resolves: rhbz#2077377 +- Allow rngd drop privileges via setuid/setgid/setcap +Resolves: rhbz#2076642 +- Allow tmpreaper the sys_ptrace userns capability +Resolves: rhbz#2062823 +- Add stalld to modules.conf +Resolves: rhbz#2042614 +- New policy for stalld +Resolves: rhbz#2042614 +- Label new utility of NetworkManager nm-priv-helper +Resolves: rhbz#2053639 +- Exclude container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Tue Apr 19 2022 Zdenek Pytela - 34.1.30-2 +- Update source branches to build a new package for RHEL 9.1.0 + +* Tue Apr 12 2022 Nikola Knazekova - 34.1.30-1 +- Allow administrative users the bpf capability +Resolves: RHBZ#2070982 +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow hostapd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow fprintd read and write hardware state information +Resolves: rhbz#2062911 +- Allow fenced read kerberos key tables +Resolves: RHBZ#2060722 +- Allow init watch and watch_reads user ttys +Resolves: rhbz#2060289 +- Allow systemd watch and watch_reads console devices +Resolves: rhbz#2060289 +- Allow nmap create and use rdma socket +Resolves: RHBZ#2059603 * Thu Mar 31 2022 Zdenek Pytela - 34.1.29-1 - Allow qemu-kvm create and use netlink rdma sockets