From 19c9a7d734c0ae054c1911404a6fd6570401a238 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 27 2018 09:50:21 +0000 Subject: * Fri Apr 27 2018 Lukas Vrabec - 3.14.2-14 - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - Add capability dac_override to antivirus domain - Allow svirt_t domain mmap svirt_image_t files BZ(1514538) - Allow ftpd_t domain to chat with systemd - Allow systemd init named socket activation for uuidd policy - Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) - Dontaudit abrt_t to write to lib_t dirs BZ(1566784) - Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) - Allow certwatch to manage cert files BZ(1561418) - Merge pull request #53 from tmzullinger/rawhide - Merge pull request #52 from thetra0/rawhide - Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) - Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files - Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) - Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) - Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. - Allow pppd_t domain creating pppox sockets BZ(1566271) - Allow abrt to map var_lib_t files - Allow chronyc to read system state BZ(1565217) - Allow keepalived_t domain to chat with systemd via dbus - Allow git to mmap git_(sys|user)_content_t files BZ(1518027) - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t --- diff --git a/.gitignore b/.gitignore index fdfd27e..baca621 100644 --- a/.gitignore +++ b/.gitignore @@ -272,3 +272,5 @@ serefpolicy* /selinux-policy-bb22502.tar.gz /selinux-policy-b8ddd7e.tar.gz /selinux-policy-contrib-4b13776.tar.gz +/selinux-policy-fee4738.tar.gz +/selinux-policy-contrib-6c883f6.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index e7c7e60..1e2a906 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 b8ddd7e996c81e52fd793d69d2cfca8f21cffdbf +%global commit0 fee4738dd084c71e46aede3c55d1120522a855d6 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 4b13776189d49c87144522f1b5a7ba0a58970f1b +%global commit1 6c883f6889d087c93133428c18bff50330828153 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,75 @@ exit 0 %endif %changelog +* Fri Apr 27 2018 Lukas Vrabec - 3.14.2-14 +- Add dac_override capability to mailman_mail_t domain +- Add dac_override capability to radvd_t domain +- Update openvswitch policy +- Add dac_override capability to oddjob_homedir_t domain +- Allow slapd_t domain to mmap slapd_var_run_t files +- Rename tang policy to tangd +- Allow virtd_t domain to relabel virt_var_lib_t files +- Allow logrotate_t domain to stop services via systemd +- Add tang policy +- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t +- Allow snapperd_t daemon to create unlabeled dirs. +- Make httpd_var_run_t mountpoint +- Allow hsqldb_t domain to mmap own temp files +- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence +- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP +- Add new Boolean tomcat_use_execmem +- Allow nfsd_t domain to read/write sysctl fs files +- Allow conman to read system state +- Allow brltty_t domain to be dbusd system client +- Allow zebra_t domain to bind on babel udp port +- Allow freeipmi domain to read sysfs_t files +- Allow targetd_t domain mmap lvm config files +- Allow abrt_t domain to manage kdump crash files +- Add capability dac_override to antivirus domain +- Allow svirt_t domain mmap svirt_image_t files BZ(1514538) +- Allow ftpd_t domain to chat with systemd +- Allow systemd init named socket activation for uuidd policy +- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) +- Allow l2tpd domain to stream connect to sssd BZ(1568160) +- Dontaudit abrt_t to write to lib_t dirs BZ(1566784) +- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) +- Allow certwatch to manage cert files BZ(1561418) +- Merge pull request #53 from tmzullinger/rawhide +- Merge pull request #52 from thetra0/rawhide +- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) +- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files +- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) +- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) +- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. +- Allow pppd_t domain creating pppox sockets BZ(1566271) +- Allow abrt to map var_lib_t files +- Allow chronyc to read system state BZ(1565217) +- Allow keepalived_t domain to chat with systemd via dbus +- Allow git to mmap git_(sys|user)_content_t files BZ(1518027) +- Allow netutils_t domain to create bluetooth sockets +- Allow traceroute to bind on generic sctp node +- Allow traceroute to search network sysctls +- Allow systemd to use virtio console +- Label /dev/op_panel and /dev/opal-prd as opal_device_t +- Label /run/ebtables.lock as iptables_var_run_t +- Allow udev_t domain to manage udev_rules_t char files. +- Assign babel_port_t label to udp port 6696 +- Add new interface lvm_map_config +- Merge pull request #212 from stlaz/patch-1 +- Allow local_login_t reads of udev_var_run_t context +- Associate sysctl_crypto_t fs with fs_t BZ(1569313) +- Label /dev/vhost-vsock char device as vhost_device_t +- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels +- Allow x userdomain to mmap xserver_tmpfs_t files +- Allow sysadm_t to mount tracefs_t +- Allow unconfined user all perms under bpf class BZ(1565738) +- Allow SELinux users (except guest and xguest) to using bluetooth sockets +- Add new interface files_map_var_lib_files() +- Allow user_t and staff_t domains create netlink tcpdiag sockets +- Allow systemd-networkd to read sysctl_t files +- Allow systemd_networkd_t to read/write tun tap devices +- refpolicy: Update for kernel sctp support + * Thu Apr 12 2018 Lukas Vrabec - 3.14.2-13 - refpolicy: Update for kernel sctp support - Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) diff --git a/sources b/sources index 2ed8218..d3d6131 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-b8ddd7e.tar.gz) = 9287be6e36d4c6a6fc36a5ab30170c8a1ad865f167a98cd1cbb72fefcc5ef7853b147a679342ff4fddf4d94a03c2ae5ebc5b81ece8eab8ff2a5b111a426d7f43 -SHA512 (selinux-policy-contrib-4b13776.tar.gz) = 19ccaa52c67ffc6bd6c907861400d18e5e64f9c7ab37ac56c96d831aa5a89d96fff2e8a22fe6b5be0ae23aec5426639e2295ba33e43bf02daa2b80c2106bd685 -SHA512 (container-selinux.tgz) = 608b1f59dbd761a968d69d46b9f658b33c71e572b27c3c3cdc87efd3544662fac58b9bf6b41fae5afee6269d231d848a7e7f0f1afbd0f91f5729e87fc17a9a50 +SHA512 (selinux-policy-fee4738.tar.gz) = 9ddc50caee037fda2eebb5e8fa6d448626b2ec2931262601a32d692f90c4e2d2aa30324871fb272019f781b408cd505f5d51c60a85b5612192bd88fdc10ed0af +SHA512 (selinux-policy-contrib-6c883f6.tar.gz) = 8acef041e381d30e9666750c59311f18bd204b2e759cc258a6c032bf7f524a160c296440746baa59e280deee27f5b38476b888cb14c4cc97d03d4137c1e098e6 +SHA512 (container-selinux.tgz) = b3c6878e5410833515938e1f53f29d6cdad2d00c0203af5e114ff3a4d6e51ef9630ac600c0d6104f69cf7578de106d54b04d9ee3f4abe6a2676e0b9fb8343a12