From 8394f612f0185b3a7d7eb591879367445719d028 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Jul 30 2020 16:50:17 +0000 Subject: * Thu Jul 30 2020 Zdenek Pytela - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd --- diff --git a/.gitignore b/.gitignore index cfc7b36..7a65950 100644 --- a/.gitignore +++ b/.gitignore @@ -471,3 +471,7 @@ serefpolicy* /selinux-policy-contrib-27225b9.tar.gz /selinux-policy-d5c0a2d.tar.gz /selinux-policy-9c84d68.tar.gz +/selinux-policy-af31e95.tar.gz +/selinux-policy-contrib-3e36d23.tar.gz +/selinux-policy-contrib-72b3524.tar.gz +/selinux-policy-3952201.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5e1be57..bcde1de 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 9c84d687e0fef5d8e4e25273bd25f58c28a7c67c +%global commit0 395220122fcd6b93956c758a2a5094487254a89e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 27225b9de42be65760194536680c9d596f1a1895 +%global commit1 72b352431e6cdce2bd6a26ad942d373f42dbba58 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.6 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -784,6 +784,24 @@ exit 0 %endif %changelog +* Thu Jul 30 2020 Zdenek Pytela - 3.14.6-22 +- Allow virtlockd only getattr and lock block devices +- Allow qemu-ga read all non security file types conditionally +- Allow virtlockd manage VMs posix file locks +- Allow smbd get attributes of device files labeled samba_share_t +- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t +- Add a new httpd_can_manage_courier_spool boolean +- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files +- Revert "Allow qemu-kvm read and write /dev/mapper/control" +- Revert "Allow qemu read and write /dev/mapper/control" +- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" +- Dontaudit pcscd_t setting its process scheduling +- Dontaudit thumb_t setting its process scheduling +- Allow munin domain transition with NoNewPrivileges +- Add dev_lock_all_blk_files() interface +- Allow auditd manage kerberos host rcache files +- Allow systemd-logind dbus chat with fwupd + * Wed Jul 29 2020 Fedora Release Engineering - 3.14.6-21 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 2e0ba75..7c1be60 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-27225b9.tar.gz) = 0cdb3e3aeaaf2c80de65d25e5d4ad1a394df9e9d7c2eb5a8c82548b86a31afd230976f4d598209d3765c21b9202ee0e5b8e98774fc84bdba9f16949ccd1956f7 -SHA512 (selinux-policy-9c84d68.tar.gz) = 3705d873f144f3ba952dabdf772490f89872042bfc11d82efc787b0afe580704530ff7aa5b34b7515487f4e27d22a973c9bae01fc3936bb8201c52d0f3938156 -SHA512 (container-selinux.tgz) = 831a83e557ef61b577b7adc61144e4c8056922e0f9de7b32fa57f3d972d2c5746c1b53a114ac382f87a631aa85c2d53b787ed5206c68395c6a2d67913e766978 +SHA512 (selinux-policy-contrib-72b3524.tar.gz) = cea10b427dd3163af8c41f42e8335725d922365829ea22b3cea86ed65db1428aea36543f2eb1e117dda47cc7281b5df29458ed7ce14353b9927646f6c7b01380 +SHA512 (selinux-policy-3952201.tar.gz) = bbbfe75befd7991a5daadfdea9077e72d9afd184cf942a692a5027874ff9f35b3111a9d6f6fc600db55846d05019d45003e1e2b38e2ede33569a35adaf72d1ea +SHA512 (container-selinux.tgz) = 56ab458b50e755d586bfb4df82a6fab788124feb5b57a7947d5c38208468c76826c466e1515264fd3cbfed785b110251f2233125b3c8e61a67503437c12a92c3 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4