From 1778514e56711d5f34cd4c5fc2cc688b07221f59 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 07 2018 18:34:23 +0000 Subject: * Sat Apr 07 2018 Lukas Vrabec - 3.14.2-12 - Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab - Add dac_override and dac_read_search capability to hypervvssd_t domain - Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t - Allow samba to create /tmp/host_0 as krb5_host_rcache_t - Add dac_override capability to fsdaemon_t BZ(1564143) - Allow abrt_t domain to map dos files BZ(1564193) - Add dac_override capability to automount_t domain - Allow keepalived_t domain to connect to system dbus bus - Allow nfsd_t to read nvme block devices BZ(1562554) - Allow lircd_t domain to execute bin_t files BZ(1562835) - Allow l2tpd_t domain to read sssd public files BZ(1563355) - Allow logrotate_t domain to do dac_override BZ(1539327) - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t - Add capability sys_resource to systemd_sysctl_t domain - Label all /dev/rbd* devices as fixed_disk_device_t - Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) - Allow local_login_t domain to rread udev db - Allow systemd_gpt_generator_t to read /dev/random device - add definition of bpf class and systemd perms --- diff --git a/.gitignore b/.gitignore index 7d4d91e..26b031a 100644 --- a/.gitignore +++ b/.gitignore @@ -268,3 +268,5 @@ serefpolicy* /selinux-policy-contrib-504d76b.tar.gz /selinux-policy-01924d8.tar.gz /selinux-policy-contrib-1255203.tar.gz +/selinux-policy-contrib-10b75cc.tar.gz +/selinux-policy-bb22502.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 8d04401..a62ef94 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 01924d88be61f3e27e247848a94c855fe00569dd +%global commit0 bb225028a9a5145547fb08cc8b18d1d17b1b4c02 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 1255203e38764839fa90a34f43de98f81278756a +%global commit1 10b75cc2d3be4bc057bb63d254afaacd53a9cd03 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -717,6 +717,30 @@ exit 0 %endif %changelog +* Sat Apr 07 2018 Lukas Vrabec - 3.14.2-12 +- Add new boolean redis_enable_notify() +- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t +- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ +- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab +- Add dac_override and dac_read_search capability to hypervvssd_t domain +- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t +- Allow samba to create /tmp/host_0 as krb5_host_rcache_t +- Add dac_override capability to fsdaemon_t BZ(1564143) +- Allow abrt_t domain to map dos files BZ(1564193) +- Add dac_override capability to automount_t domain +- Allow keepalived_t domain to connect to system dbus bus +- Allow nfsd_t to read nvme block devices BZ(1562554) +- Allow lircd_t domain to execute bin_t files BZ(1562835) +- Allow l2tpd_t domain to read sssd public files BZ(1563355) +- Allow logrotate_t domain to do dac_override BZ(1539327) +- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t +- Add capability sys_resource to systemd_sysctl_t domain +- Label all /dev/rbd* devices as fixed_disk_device_t +- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) +- Allow local_login_t domain to rread udev db +- Allow systemd_gpt_generator_t to read /dev/random device +- add definition of bpf class and systemd perms + * Thu Mar 29 2018 Lukas Vrabec - 3.14.2-11 - Allow accountsd_t domain to dac override BZ(1561304) - Allow cockpit_ws_t domain to read system state BZ(1561053) diff --git a/sources b/sources index 6c482d1..77b53e1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-01924d8.tar.gz) = c8ebdee9ac293216059e06100cb4c1c3d4f8db0e9bb27a4eeccf3f760a99e0bc77e159cfb56247b58bbe743f8ebda2fc8c73c4fe2182646d81d3dae4651419f8 -SHA512 (selinux-policy-contrib-1255203.tar.gz) = 5d3db6f6417d5d2197afad616e65baac4d32e01825410d190841e15cef63f3c4e2cd799d0407e86662eddf3ae79b80e1ea41e6408562a7466e662b910798ccd6 -SHA512 (container-selinux.tgz) = adfdb07302cfc3083e194b37708908a83365c3ff609033cb66270dc35e4ef02528c7bce9c320f3ad5dc054d5559649666ccd2e1b30e6dd0d02fee0c0d6ca71ee +SHA512 (selinux-policy-contrib-10b75cc.tar.gz) = 406584495d53ef60dfe90a842906d86dd93c769f5e3c207ef8ca49be90d54bc98615b23953217bce945d0099be928fafe3ac60d0912456335c0652c8ab282def +SHA512 (selinux-policy-bb22502.tar.gz) = 9571c259971c43168e2feb352ee03579e68084b00565ce567040c06e556fe64ba3ca1f06644980612ad3dd47b95416c66f7a5ee4426f03cead8c715e20ae4a49 +SHA512 (container-selinux.tgz) = 7a10741c808044e7ba23a6be5e7a294456eb1ea8c802167415e106943727a37be50c061c0b58eb6b593ce22941635a61cb35af1bfd38ab236efe9341a47feffe