From 2675489867c3d6cc9cb5adf31c3f7d4281a4c9e8 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 25 2019 15:29:03 +0000 Subject: * Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13 - Introduce deny_bluetooth boolean - Allow greylist_milter_t to read network system state BZ(1702672) - Allow freeipmi domains to mmap freeipmi_var_cache_t files - Allow rhsmcertd_t and rpm_t domains to chat over dbus - Allow thumb_t domain to delete cache_home_t files BZ(1701643) - Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus - Add new interface boltd_dbus_chat() - Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) - Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) - Allow cockpit_ws_t domain to set limits BZ(1701703) - Update Nagios policy when sudo is used - Deamon rhsmcertd is able to install certs for docker again - Introduce deny_bluetooth boolean - Don't allow a container to connect to random services - Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. - Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus - Allow unconfined_t to use bpf tools - Allow x_userdomains to communicate with boltd daemon over dbus --- diff --git a/.gitignore b/.gitignore index 96d1809..5b78d2a 100644 --- a/.gitignore +++ b/.gitignore @@ -364,3 +364,5 @@ serefpolicy* /selinux-policy-contrib-b78d1b1.tar.gz /selinux-policy-contrib-d00ed3c.tar.gz /selinux-policy-6ed8a72.tar.gz +/selinux-policy-contrib-5a0561d.tar.gz +/selinux-policy-54c05f2.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 694e1ef..c767785 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 6ed8a7287528f71218ddea3afedc54c95c39b9e4 +%global commit0 54c05f2645a660c545ec406558b42687df2552a7 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 d00ed3cca362cbdcc43be9111cb3d27c2b3b5266 +%global commit1 5a0561d7b67ae8403d4e1a44acfc8db40ee269a5 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.4 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -787,6 +787,26 @@ exit 0 %endif %changelog +* Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13 +- Introduce deny_bluetooth boolean +- Allow greylist_milter_t to read network system state BZ(1702672) +- Allow freeipmi domains to mmap freeipmi_var_cache_t files +- Allow rhsmcertd_t and rpm_t domains to chat over dbus +- Allow thumb_t domain to delete cache_home_t files BZ(1701643) +- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus +- Add new interface boltd_dbus_chat() +- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) +- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) +- Allow cockpit_ws_t domain to set limits BZ(1701703) +- Update Nagios policy when sudo is used +- Deamon rhsmcertd is able to install certs for docker again +- Introduce deny_bluetooth boolean +- Don't allow a container to connect to random services +- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. +- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus +- Allow unconfined_t to use bpf tools +- Allow x_userdomains to communicate with boltd daemon over dbus + * Fri Apr 19 2019 Lukas Vrabec - 3.14.4-12 - Fix typo in cups SELinux policy - Allow iscsid_t to read modules deps BZ(1700245) diff --git a/sources b/sources index ab44e81..086e984 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ -SHA512 (selinux-policy-contrib-d00ed3c.tar.gz) = 1bacec62b941abd7a0ad9977037ae6762d1ca4bd02b3c0b0b10091f710b5d96b78f8e9adc824c88d00378bd48d2522a5636562b657679f63ce574f6e0babc0ec -SHA512 (selinux-policy-6ed8a72.tar.gz) = 895da6ebd991625f509accb47773f6557ce284917d714158ca484af5135e436f1e0e512303100afe9ce665fa0b895b090b04e58fe169c91fc62d9d3999d2336f -SHA512 (container-selinux.tgz) = f1391d9e30efa936a1d8afb56d88a841a203b893e05aaefb1704367bf6f0d40cf45b7d393081d6a0e3c6ed15a5b559fa17e2b27bc87f409f8b83c20d91fa6709 -SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2 +SHA512 (selinux-policy-contrib-5a0561d.tar.gz) = 40ac186675b0c3633263165ecc409f9b36752d74e9c699a637f0a56e6a9162bf6be89b4a2a081e331accabaf82d2d36f260804a0743993a64d0425b3fd3dd0cd +SHA512 (selinux-policy-54c05f2.tar.gz) = 1ff1a1e7931e107f8f53952428b8abd1b4ec4997463132ad2255afd08f6b6bc240722d07b0a132492ab4f33fac7af14725c440c6d6c959c8b8afe9ad194ee2d4 +SHA512 (container-selinux.tgz) = e17ae54aa1899b413b79f02d95e188a575111f88b723e2b38331da056260c342228fb47b8b85963e8312844e1b0e4f7fe22c3a6cc2c204126c6cdff952425842