From 49ed22dc7fe83a15ad70fe38b44955a28b016e7b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 09:06:52 +0000 Subject: import selinux-policy-3.14.3-117.el8 --- diff --git a/.gitignore b/.gitignore index 7927dee..041ee17 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-9db72ed.tar.gz -SOURCES/selinux-policy-contrib-5e2c252.tar.gz +SOURCES/selinux-policy-426c028.tar.gz +SOURCES/selinux-policy-contrib-c6da44c.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index ea1df3e..d110037 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -37036a3f9ec27f942a2b186db25f3c0551784c4e SOURCES/container-selinux.tgz -d9e66219a3c1a29e8af4da26ed471297d3281fcc SOURCES/selinux-policy-9db72ed.tar.gz -dd2ac90c589a5a5110bf578b014754b69f2232c7 SOURCES/selinux-policy-contrib-5e2c252.tar.gz +bbb33f1d3ec06ac961c111b66a324496cbe9768f SOURCES/container-selinux.tgz +8f77181d801751fdd49e7a537b291af8b455ed51 SOURCES/selinux-policy-426c028.tar.gz +84a66625f87ed784dc752c76eca051d058abfa8d SOURCES/selinux-policy-contrib-c6da44c.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 1826dad..0ee5c6b 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 9db72ed4345b0f26e798cb301f306fb4ee303844 +%global commit0 426c028e3d055a6ae74f8bf7cc92107f3e43a5ea %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 5e2c252146f379cd25df50de97816f6771d9d79b +%global commit1 c6da44cc670eb76341a756f7d338e60cfa7cd8ac %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 107%{?dist} +Release: 117%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -717,6 +717,209 @@ exit 0 %endif %changelog +* Thu Feb 16 2023 Zdenek Pytela - 3.14.3-117 +- Fix opencryptoki file names in /dev/shm +Resolves: rhbz#2028637 +- Allow system_cronjob_t transition to rpm_script_t +Resolves: rhbz#2154242 +- Revert "Allow system_cronjob_t domtrans to rpm_script_t" +Resolves: rhbz#2154242 +- Allow httpd work with tokens in /dev/shm +Resolves: rhbz#2028637 +- Allow keepalived to set resource limits +Resolves: rhbz#2168638 +- Allow insights-client manage fsadm pid files + +* Thu Feb 09 2023 Zdenek Pytela - 3.14.3-116 +- Allow sysadm_t run initrc_t script and sysadm_r role access +Resolves: rhbz#2039662 +- Allow insights-client manage fsadm pid files +Resolves: rhbz#2166802 +- Add journalctl the sys_resource capability +Resolves: rhbz#2136189 + +* Thu Jan 26 2023 Zdenek Pytela - 3.14.3-115 +- Fix syntax problem in redis.te +Resolves: rhbz#2112228 +- Allow unconfined user filetransition for sudo log files +Resolves: rhbz#2164047 +- Allow winbind-rpcd make a TCP connection to the ldap port +Resolves: rhbz#2152642 +- Allow winbind-rpcd manage samba_share_t files and dirs +Resolves: rhbz#2152642 +- Allow insights-client work with su and lpstat +Resolves: rhbz#2134125 +- Allow insights-client read nvme devices +Resolves: rhbz#2143878 +- Allow insights-client tcp connect to all ports +Resolves: rhbz#2143878 +- Allow redis-sentinel execute a notification script +Resolves: rhbz#2112228 + +* Thu Jan 12 2023 Zdenek Pytela - 3.14.3-114 +- Add interfaces in domain, files, and unconfined modules +Resolves: rhbz#2141311 +- Allow sysadm_t read/write ipmi devices +Resolves: rhbz#2148561 +- Allow sudodomain use sudo.log as a logfile +Resolves: rhbz#2143762 +- Add insights additional capabilities +Resolves: rhbz#2158779 +- Allow insights client work with gluster and pcp +Resolves: rhbz#2141311 +- Allow prosody manage its runtime socket files +Resolves: rhbz#2157902 +- Allow system mail service read inherited certmonger runtime files +Resolves: rhbz#2143337 +- Add lpr_roles to system_r roles +Resolves: rhbz#2151111 + +* Thu Dec 15 2022 Zdenek Pytela - 3.14.3-113 +- Allow systemd-socket-proxyd get attributes of cgroup filesystems +Resolves: rhbz#2088441 +- Allow systemd-socket-proxyd get filesystems attributes +Resolves: rhbz#2088441 +- Allow sysadm read ipmi devices +Resolves: rhbz#2148561 +- Allow system mail service read inherited certmonger runtime files +Resolves: rhbz#2143337 +- Add lpr_roles to system_r roles +Resolves: rhbz#2151111 +- Allow insights-client tcp connect to various ports +Resolves: rhbz#2151111 +- Allow insights-client work with pcp and manage user config files +Resolves: rhbz#2151111 +- Allow insights-client dbus chat with various services +Resolves: rhbz#2152867 +- Allow insights-client dbus chat with abrt +Resolves: rhbz#2152867 +- Allow redis get user names +Resolves: rhbz#2112228 +- Add winbind-rpcd to samba_enable_home_dirs boolean +Resolves: rhbz#2143696 + +* Wed Nov 30 2022 Zdenek Pytela - 3.14.3-112 +- Allow ipsec_t only read tpm devices +Resolves: rhbz#2147380 +- Allow ipsec_t read/write tpm devices +Resolves: rhbz#2147380 +- Label udf tools with fsadm_exec_t +Resolves: rhbz#1972230 +- Allow the spamd_update_t domain get generic filesystem attributes +Resolves: rhbz#2144501 +- Allow cdcc mmap dcc-client-map files +Resolves: rhbz#2144505 +- Allow insights client communicate with cupsd, mysqld, openvswitch, redis +Resolves: rhbz#2143878 +- Allow insights client read raw memory devices +Resolves: rhbz#2143878 +- Allow winbind-rpcd get attributes of device and pty filesystems +Resolves: rhbz#2107106 +- Allow postfix/smtpd read kerberos key table +Resolves: rhbz#1983308 + +* Fri Nov 11 2022 Zdenek Pytela - 3.14.3-111 +- Add domain_unix_read_all_semaphores() interface +Resolves: rhbz#2141311 +- Allow iptables list cgroup directories +Resolves: rhbz#2134820 +- Allow systemd-hostnamed dbus chat with init scripts +Resolves: rhbz#2111632 +- Allow systemd to read symlinks in /var/lib +Resolves: rhbz#2118784 +- Allow insights-client domain transition on semanage execution +Resolves: rhbz#2141311 +- Allow insights-client create gluster log dir with a transition +Resolves: rhbz#2141311 +- Allow insights-client manage generic locks +Resolves: rhbz#2141311 +- Allow insights-client unix_read all domain semaphores +Resolves: rhbz#2141311 +- Allow winbind-rpcd use the terminal multiplexor +Resolves: rhbz#2107106 +- Allow mrtg send mails +Resolves: rhbz#2103675 +- Allow sssd dbus chat with system cronjobs +Resolves: rhbz#2132922 +- Allow postfix/smtp and postfix/virtual read kerberos key table +Resolves: rhbz#1983308 + +* Thu Oct 20 2022 Zdenek Pytela - 3.14.3-110 +- Add the systemd_connectto_socket_proxyd_unix_sockets() interface +Resolves: rhbz#208441 +- Add the dev_map_vhost() interface +Resolves: rhbz#2122920 +- Allow init remount all file_type filesystems +Resolves: rhbz#2122239 +- added policy for systemd-socket-proxyd +Resolves: rhbz#2088441 +- Allow virt_domain map vhost devices +Resolves: rhbz#2122920 +- Allow virt domains to access xserver devices +Resolves: rhbz#2122920 +- Allow rotatelogs read httpd_log_t symlinks +Resolves: rhbz#2030633 +- Allow vlock search the contents of the /dev/pts directory +Resolves: rhbz#2122838 +- Allow system cronjobs dbus chat with setroubleshoot +Resolves: rhbz#2125008 +- Allow ptp4l_t name_bind ptp_event_port_t +Resolves: rhbz#2130168 +- Allow pcp_domain execute its private memfd: objects +Resolves: rhbz#2090711 +- Allow samba-dcerpcd use NSCD services over a unix stream socket +Resolves: rhbz#2121709 +- Allow insights-client manage samba var dirs +Resolves: rhbz#2132230 + +* Wed Oct 12 2022 Zdenek Pytela - 3.14.3-109 +- Add the files_map_read_etc_files() interface +Resolves: rhbz#2132230 +- Allow insights-client manage samba var dirs +Resolves: rhbz#2132230 +- Allow insights-client send null signal to rpm and system cronjob +Resolves: rhbz#2132230 +- Update rhcd policy for executing additional commands 4 +Resolves: rhbz#2132230 +- Allow insights-client connect to postgresql with a unix socket +Resolves: rhbz#2132230 +- Allow insights-client domtrans on unix_chkpwd execution +Resolves: rhbz#2132230 +- Add file context entries for insights-client and rhc +Resolves: rhbz#2132230 +- Allow snmpd_t domain to trace processes in user namespace +Resolves: rhbz#2121084 +- Allow sbd the sys_ptrace capability +Resolves: rhbz#2124552 +- Allow pulseaudio create gnome content (~/.config) +Resolves: rhbz#2124387 + +* Thu Sep 08 2022 Zdenek Pytela - 3.14.3-108 +- Allow unconfined_service_t insights client content filetrans +Resolves: rhbz#2119507 +- Allow nsswitch_domain to connect to systemd-machined using a unix socket +Resolves: rhbz#2119507 +- Add init_status_all_script_files() interface +Resolves: rhbz#2119507 +- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 5 +Resolves: rhbz#2119507 +- Confine insights-client systemd unit +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 4 +Resolves: rhbz#2119507 +- Change rhsmcertd_t to insights_client_t in insights-client policy +Resolves: rhbz#2119507 +- Allow insights-client send signull to unconfined_service_t +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 3 +Resolves: rhbz#2119507 +- Allow journalctl read init state +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 2 +Resolves: rhbz#2119507 + * Thu Aug 25 2022 Zdenek Pytela - 3.14.3-107 - Label 319/udp port with ptp_event_port_t Resolves: rhbz#2118628