From 2f784b60817dee1ba518a7ae2b71f369f120f430 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 09:38:56 +0000 Subject: import selinux-policy-3.14.3-41.el8 --- diff --git a/.gitignore b/.gitignore index 267186c..759db1c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-9c02e99.tar.gz -SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz +SOURCES/selinux-policy-c49d479.tar.gz +SOURCES/selinux-policy-contrib-c5d8cee.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 3b74b98..2a3fb05 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -53ade5f3e668c078acfccdf1ec8094ac58f4847a SOURCES/container-selinux.tgz -a39a2f69b1b5871767129babffd3fd3d7f1aca4f SOURCES/selinux-policy-9c02e99.tar.gz -a357a9d089222708f0da5084425992182873bdfe SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz +5b46f3a2694ba1e21944f1ec9386202448aded3d SOURCES/container-selinux.tgz +699742eb05f02e553428b5405262d4298c6d00f0 SOURCES/selinux-policy-c49d479.tar.gz +fa52cccaafdbfeec634ccce080ef00713b11b2e5 SOURCES/selinux-policy-contrib-c5d8cee.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index ebff470..02c9839 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2649,3 +2649,24 @@ boltd = module # kpatch # kpatch = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum index 8207eed..977a838 100644 --- a/SOURCES/users-minimum +++ b/SOURCES/users-minimum @@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # diff --git a/SOURCES/users-mls b/SOURCES/users-mls index 05d2671..5469659 100644 --- a/SOURCES/users-mls +++ b/SOURCES/users-mls @@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted index 8207eed..977a838 100644 --- a/SOURCES/users-targeted +++ b/SOURCES/users-targeted @@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 32bcd7d..35b3a93 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 9c02e9977eedf96c45a26ed4a1d0c5e6c3f2c8d9 +%global commit0 c49d4791b610a9a3ce8a0a2a015817a9f1724be8 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 c8ebb9fb34b06455a41e1ff59626c186d8602452 +%global commit1 c5d8ceee7fe06f305aff364df091ad77cfad7086 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 20%{?dist} +Release: 41%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -715,6 +715,310 @@ exit 0 %endif %changelog +* Mon Mar 16 2020 Zdenek Pytela - 3.14.3-41 +- Allow NetworkManager read its unit files and manage services +- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t +Resolves: rhbz#1806894 + +* Tue Feb 18 2020 Lukas Vrabec - 3.14.3-40 +- Update virt_read_qemu_pid_files inteface +Resolves: rhbz#1782925 + +* Sat Feb 15 2020 Lukas Vrabec - 3.14.3-39 +- Allow vhostmd communication with hosted virtual machines +- Add and update virt interfaces +Resolves: rhbz#1782925 + +* Tue Jan 28 2020 Zdenek Pytela - 3.14.3-38 +- Dontaudit timedatex_t read file_contexts_t and validate security contexts +Resolves: rhbz#1779098 + +* Tue Jan 21 2020 Lukas Vrabec - 3.14.3-37 +- Make stratisd_t domain unconfined for RHEL-8.2 +Resolves: rhbz#1791557 +- stratisd_t policy updates +Resolves: rhbz#1791557 + +* Thu Jan 16 2020 Lukas Vrabec - 3.14.3-36 +- Label /stratis as stratisd_data_t +Resolves: rhbz#1791557 + +* Tue Jan 14 2020 Lukas Vrabec - 3.14.3-35 +- Allow stratisd_t domain to read/write fixed disk devices and removable devices. +Resolves: rhbz#1790795 + +* Mon Jan 13 2020 Lukas Vrabec - 3.14.3-34 +- Added macro for stratisd to chat over dbus +- Add dac_override capability to stratisd_t domain +- Allow userdomain to chat with stratisd over dbus. +Resolves: rhbz#1787298 + +* Fri Jan 10 2020 Lukas Vrabec - 3.14.3-33 +- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory +Resolves: rhbz#1778126 + +* Wed Jan 08 2020 Lukas Vrabec - 3.14.3-32 +- Allow create udp sockets for abrt_upload_watch_t domains +Resolves: rhbz#1777761 + +* Wed Jan 08 2020 Lukas Vrabec - 3.14.3-31 +- Allow sssd_t domain to read kernel net sysctls +Resolves: rhbz#1777042 + +* Fri Dec 13 2019 Zdenek Pytela - 3.14.3-30 +- Allow userdomain dbus chat with systemd_resolved_t +Resolves: rhbz#1773463 +- Allow init_t read and setattr on /var/lib/fprintd +Resolves: rhbz#1781696 +- Allow sysadm_t dbus chat with colord_t +Resolves: rhbz#1772669 +- Allow confined users run fwupdmgr +Resolves: rhbz#1772619 +- Allow confined users run machinectl +Resolves: rhbz#1772625 +- Allow systemd labeled as init_t domain to create dirs labeled as var_t +Resolves: rhbz#1778126 +- Allow systemd labeled as init_t domain to manage faillog_t objects +Resolves: rhbz#1671019 +- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces +Resolves: rhbz#1781696 +- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain +Resolves: rhbz#1703231 +- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) +Resolves: rhbz#1777761 +- Change type in transition for /var/cache/{dnf,yum} directory +Resolves: rhbz#1686833 +- Revert "Update zebra SELinux policy to make it work also with frr service" +This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d. +- Revert "Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t" +This reverts commit a19eb1021cbd6c637344954cead54caae081e07c. +- Allow stratis_t domain to request load modules +Resolves: rhbz#1726259 +- Allow stratisd to connect to dbus +Resolves: rhbz#1726259 +- Run stratisd service as stratisd_t +Resolves: rhbz#1726259 +- Add support for smart card authentication in cockpit BZ(1690444) +Resolves: rhbz#1771414 +- cockpit: Support split-out TLS proxy +Resolves: rhbz#1771414 +- cockpit: Allow cockpit-session to read cockpit-tls state +Resolves: rhbz#1771414 +- Update cockpit policy +Resolves: rhbz#1771414 +- cockpit: Support https instance factory +Resolves: rhbz#1771414 +- cockpit: Allow cockpit-session to read cockpit-tls state directory +Resolves: rhbz#1771414 +- Fix nonexisting types in rtas_errd_rw_lock interface +Resolves: rhbz#1744234 + +* Wed Nov 27 2019 Lukas Vrabec - 3.14.3-29 +- Allow timedatex_t domain to read relatime clock and adjtime_t files +Resolves: rhbz#1771513 + +* Fri Nov 22 2019 Lukas Vrabec - 3.14.3-28 +- Update timedatex policy to add macros +Resolves: rhbz#1771513 + +* Fri Nov 15 2019 Lukas Vrabec - 3.14.3-27 +- Allow timedatex_t domain dbus chat with both confined and unconfined users +Resolves: rhbz#1771513 +- Fix typo bugs in rtas_errd_read_lock() interface +Resolves: rhbz#1750096 +- Allow timedatex_t domain to systemctl chronyd domains +Resolves: rhbz#1771513 +- Fix typo in dev_filetrans_all_named_dev() +Resolves: rhbz#1750096 + +* Mon Nov 11 2019 Lukas Vrabec - 3.14.3-26 +- New policy for rrdcached +Resolves: rhbz#1726255 +- Update timedatex policy +- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if +- Add new macro systemd_timedated_status to systemd.if to get timedated service status +Resolves: rhbz#1730204 +- Update lldpad_t policy module +Resolves: rhbz#1726246 +- Dontaudit sandbox web types to setattr lib_t dirs +Resolves: rhbz#1739858 +- Fix typo in cachefiles device +Resolves: rhbz#1750096 + +* Thu Nov 07 2019 Lukas Vrabec - 3.14.3-25 +- Allow sssd_t domain to read gnome config and named cache files +Resolves: rhbz#1743907 +- Allow httpd_t to signull mailman_cgi_t process +Resolves: rhbz#1686462 +- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files +Resolves: rhbz#1758545 +- Allow cachefilesd_t domain to read/write cachefiles_device_t devices +Resolves: rhbz#1750096 +- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy +Resolves: rhbz#1750096 +- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t +Resolves:rhbz#1746511 +- Label libvirt drivers as virtd_exec_t +Resolves: rhbz#1745076 +- Update apache and pkcs policies to make active opencryptoki rules +Resolves: rhbz#1744198 +- Introduce new bolean httpd_use_opencryptoki +Resolves: rhbz#1744198 +- Allow gssproxy_t domain read state of all processes on system +Resolves: rhbz#1752031 +- Dontaudit tmpreaper_t getting attributes from sysctl_type files +Resolves: rhbz#1730204 +- Added macro for timedatex to chat over dbus. +Resolves: rhbz#1730204 +- Run timedatex service as timedatex_t +Resolves: rhbz#1730204 +- Run lldpd service as lldpad_t. +Resolves: rhbz#1726246 +- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald +- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t +Resolves: rhbz#1765065 +- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files +Resolves: rhbz#1744234 +- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. +Resolves: rhbz#1765065 +- Update tmpreaper_t policy due to fuser command +Resolves: rhbz#1765065 +- Allow fail2ban_t domain to create netlink netfilter sockets. +Resolves: rhbz#1766415 +- Label /dev/cachefilesd as cachefiles_device_t +Resolves: rhbz#1750096 +- Label udp 8125 port as statsd_port_t +Resolves: rhbz#1746511 +- Allow systemd(init_t) to load kernel modules +Resolves: rhbz#1758255 +- Dontaudit sys_admin capability for auditd_t domains +Resolves: rhbz#1669040 +- Allow x_userdomain to dbus_chat with timedatex. +Resolves: rhbz#1730204 + +* Fri Oct 25 2019 Lukas Vrabec - 3.14.3-24 +- Allow confined users to run newaliases +Resolves:rhbz#1750405 +- Add interface mysql_dontaudit_rw_db() +Resolves: rhbz#1747926 +- Label /var/lib/xfsdump/inventory as amanda_var_lib_t +Resolves: rhbz#1739137 +- Allow tmpreaper_t domain to read all domains state +Resolves: rhbz#1765065 +- Allow ipa_ods_exporter_t domain to read krb5_keytab files +Resolves: rhbz#1759900 +- Allow rhsmcertd_t domain to read rtas_errd lock files +Resolves: rhbz#1744234 +- Add new interface rtas_errd_read_lock() +Resolves: rhbz#1744234 +- Donaudit ifconfig_t domain to read/write mysqld_db_t files +Resolves: rhbz#1747926 + +* Thu Oct 17 2019 Lukas Vrabec - 3.14.3-23 +- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t +Resolves: rhbz#1714984 +- Dontaudit and disallow sys_admin capability for keepalived_t domain +Resolves: rhbz#1729174 +- Allow processes labeled as keepalived_t domain to get process group +Resolves: rhbz#1746955 + +* Mon Oct 14 2019 Lukas Vrabec - 3.14.3-22 +- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files +Resolves: rhbz#1756006 +- Allow user domains to manage user session services +Resolves: rhbz#1727887 +- Allow staff and user users to get status of user systemd session +Resolves: rhbz#1727887 + +* Fri Oct 11 2019 Lukas Vrabec - 3.14.3-21 +- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. +Resolves: rhbz#1750405 +- Allow dlm_controld_t domain to read random device +Resolves: rhbz#1752943 +- Allow haproxy_t domain to read network state of system +Resolves: rhbz#1746974 +- Allow avahi_t to send msg to lpr_t +Resolves: rhbz#1752843 +- Create new type ipmievd_helper_t domain for loading kernel modules. +Resolves: rhbz#1673804 +- networkmanager: allow NetworkManager_t to create bluetooth_socket +Resolves: rhbz#1747768 +- Label /etc/named direcotory as named_conf_t +Resolves: rhbz#1759505 +- Update aide_t domain to allow this tool to analyze also /dev filesystem +Resolves: rhbz#1758265 +- Update zebra SELinux policy to make it work also with frr service +Resolves: rhbz#1714984 +- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. +Resolves: rhbz#1711909 +- Allow chronyc_t domain to append to all non_security files + Resolves: rhbz#1696252 +- Allow httpd_t domain to read/write named_cache_t files +Resolves: rhbz#1690484 +- Add new interface bind_rw_cache() +Resolves: rhbz#1690484 +- Label /var/run/mysql as mysqld_var_run_t +Resolves: rhbz#1687867 +- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. +Resolves: rhbz#1612552 +- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types +Resolves: rhbz#1647971 +- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces +Resolves: rhbz#1663874 +- Update gnome_dontaudit_read_config +Resolves: rhbz#1663874 +- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports +Resolves: rhbz#1687499 +- Update keepalived policy +Resolves: rhbz#1728332 +- Add sys_admin capability for keepalived_t labeled processes +Resolves: rhbz#1729174 +- Fix abrt_upload_watch_t in abrt policy +Resolves: rhbz#1737419 +- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label +Resolves: rhbz#1737550 +- Allow amanda_t to manage its var lib files and read random_device_t +Resolves: rhbz#1739137 +- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) +Resolves: rhbz#1743684 +- Allow pesign_t domain to read/write named cache files. +Resolves: rhbz#1745429 +- Allow login user type to use systemd user session +Resolves: rhbz#1727887 +- Allow avahi_t to send msg to xdm_t +Resolves: rhbz#1755401 +- Allow ldconfig_t domain to manage initrc_tmp_t objects +Resolves: rhbz#1756006 +- Add new interface init_write_initrc_tmp_pipes() +- Add new interface init_manage_script_tmp_files() +- Add new interface udev_getattr_rules_chr_files() +- Run lvmdbusd service as lvm_t +Resolves: rhbz#1726166 +- Label 2618/tcp and 2618/udp as priority_e_com_port_t +- Label 2616/tcp and 2616/udp as appswitch_emp_port_t +- Label 2615/tcp and 2615/udp as firepower_port_t +- Label 2610/tcp and 2610/udp as versa_tek_port_t +- Label 2613/tcp and 2613/udp as smntubootstrap_port_t +- Label 3784/tcp and 3784/udp as bfd_control_port_t +- Allow systemd labeled as init_t domain to remount rootfs filesystem +Resolves: rhbz#1698197 +- Add interface files_remount_rootfs() +- New interface files_append_non_security_files() +- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus +Resolves: rhbz#1612552 +- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces + Resolves: rhbz#1647971 +- Dontaudit sys_admin capability for iptables_t SELinux domain +Resolves: rhbz#1669040 +- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) +Resolves: rhbz#1671019 +- Allow userdomains to dbus chat with policykit daemon +Resolves: rhbz#1727902 +- Allow ipsec_t domain to read/write named cache files +Resolves: rhbz#1743777 +- Add sys_admin capability for ipsec_t domain +Resolves: rhbz#1753662 + * Mon Sep 16 2019 Lukas Vrabec - 3.14.3-20 - Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label @@ -852,7 +1156,7 @@ Resolves: rhbz#1669095 - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t Resolves: rhbz#1696144 -* Tue Jul 10 2019 Lukas Vrabec - 3.14.3-11 +* Wed Jul 10 2019 Lukas Vrabec - 3.14.3-11 - Fix minor changes to pass coverity scan Resolves: rhbz#1728578