From 7bc65a1fe16ac76860e454e01481f696d70c8b07 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Feb 26 2024 15:16:48 +0000 Subject: * Mon Feb 26 2024 Zdenek Pytela - 40.14-1 - Allow userdomain get attributes of files on an nsfs filesystem - Allow opafm create NFS files and directories - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud domain transition on swtpm execution - Add the swtpm.if interface file for interactions with other domains - Allow samba to have dac_override capability - systemd: allow sys_admin capability for systemd_notify_t - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets - Allow thumb_t to watch and watch_reads mount_var_run_t - Allow krb5kdc_t map krb5kdc_principal_t files - Allow unprivileged confined user dbus chat with setroubleshoot - Allow login_userdomain map files in /var - Allow wireguard work with firewall-cmd - Differentiate between staff and sysadm when executing crontab with sudo - Add crontab_admin_domtrans interface - Allow abrt_t nnp domain transition to abrt_handle_event_t - Allow xdm_t to watch and watch_reads mount_var_run_t - Dontaudit subscription manager setfscreate and read file contexts - Don't audit crontab_domain write attempts to user home - Transition from sudodomains to crontab_t when executing crontab_exec_t - Add crontab_domtrans interface - Fix label of pseudoterminals created from sudodomain - Allow utempter_t use ptmx - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket - Allow admin user read/write on fixed_disk_device_t --- diff --git a/ifndefy.py b/ifndefy.py old mode 100644 new mode 100755 diff --git a/selinux-policy.spec b/selinux-policy.spec index ce9ba89..32e04e1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455 +%global commit a3eca1d9f096c0e178c78e629bb129b178c85f95 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -23,7 +23,7 @@ %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 40.13 +Version: 40.14 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz @@ -824,6 +824,33 @@ exit 0 %endif %changelog +* Mon Feb 26 2024 Zdenek Pytela - 40.14-1 +- Allow userdomain get attributes of files on an nsfs filesystem +- Allow opafm create NFS files and directories +- Allow virtqemud create and unlink files in /etc/libvirt/ +- Allow virtqemud domain transition on swtpm execution +- Add the swtpm.if interface file for interactions with other domains +- Allow samba to have dac_override capability +- systemd: allow sys_admin capability for systemd_notify_t +- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets +- Allow thumb_t to watch and watch_reads mount_var_run_t +- Allow krb5kdc_t map krb5kdc_principal_t files +- Allow unprivileged confined user dbus chat with setroubleshoot +- Allow login_userdomain map files in /var +- Allow wireguard work with firewall-cmd +- Differentiate between staff and sysadm when executing crontab with sudo +- Add crontab_admin_domtrans interface +- Allow abrt_t nnp domain transition to abrt_handle_event_t +- Allow xdm_t to watch and watch_reads mount_var_run_t +- Dontaudit subscription manager setfscreate and read file contexts +- Don't audit crontab_domain write attempts to user home +- Transition from sudodomains to crontab_t when executing crontab_exec_t +- Add crontab_domtrans interface +- Fix label of pseudoterminals created from sudodomain +- Allow utempter_t use ptmx +- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket +- Allow admin user read/write on fixed_disk_device_t + * Mon Feb 12 2024 Zdenek Pytela - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface diff --git a/sources b/sources index e07859a..5624833 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-d9f4a2b.tar.gz) = 6abfcb82e7187b0c7c4052d6230a25717e6eb783ecc49c07314422bee138a820f3ff21e8993102f4f954fdb238c28fb94c466c1f275993de1c26db271d910a13 +SHA512 (selinux-policy-a3eca1d.tar.gz) = 5ab037401bfa1b56bef115eb40f9efc22672bff72df20198245bcbf30519721c342db10d049e44871451943cced4c7d89cc18ff968635b7258889cafb3a55df7 +SHA512 (container-selinux.tgz) = 23b5f325990ec53f01d15ce9115abe9af36f43eed2a34adee010e3f2e542f0235bb667c37dc00b8c3a773a17da223ccc18a2b2f69b3e06b48b2f1e2c74fd6d2e SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 -SHA512 (container-selinux.tgz) = 6a33208ad6b3b55d254b98775ed4d1486efb5f09c144b695a852f14f28277a6ebf1de9aa6e9c579677c738cc1b0d7cff4dbdb8d38fc0602433cdf7ce551a00ed