From 844794a0f4eaa0fbb12ad878f610d8ef38eab006 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: May 20 2018 23:48:14 +0000 Subject: * Mon May 21 2018 Lukas Vrabec - 3.14.2-17 - Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes - Allow systemd socket activation for modemmanager - Allow geoclue to dbus chat with systemd - Fix file contexts on conntrackd policy - Temporary fix for varnish and apache adding capability for DAC_OVERRIDE - Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets - Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t - Allow nscd_t domain to be system dbusd client - Allow abrt_t domain to read sysctl - Add dac_read_search capability for tangd - Allow systemd socket activation for rshd domain - Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t - Allow kdump_t domain to map /boot files - Allow conntrackd_t domain to send msgs to syslog - Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t - Allow swnserve_t domain to stream connect to sasl domain - Allow smbcontrol_t to create dirs with samba_var_t label - Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) - Allow tangd to read public sssd files BZ(1509054) - Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) - Allow ctdb_t domain modify ctdb_exec_t files - Allow firewalld_t domain to create netlink_netfilter sockets - Allow radiusd_t domain to read network sysctls - Allow pegasus_t domain to mount tracefs_t filesystem - Allow create systemd to mount pid files - Add files_map_boot_files() interface - Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) - Fix typo xserver SELinux module - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session --- diff --git a/.gitignore b/.gitignore index 269045b..22efeca 100644 --- a/.gitignore +++ b/.gitignore @@ -279,3 +279,5 @@ serefpolicy* /selinux-policy-17160ee.tar.gz /selinux-policy-contrib-4f6a859.tar.gz /selinux-policy-718d75d.tar.gz +/selinux-policy-cab8dc9.tar.gz +/selinux-policy-contrib-19624b4.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 938b692..6f0d610 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 718d75d6ef457c74ce1defac3b2d671b3d1f71eb +%global commit0 cab8dc9056f382289b0559b3bdf336aa09ef8105 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 4f6a859548cce112341679e720b88f7d1cb674d7 +%global commit1 19624b4009a0a252a57e7192dea7d3d322fcd0da %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,41 @@ exit 0 %endif %changelog +* Mon May 21 2018 Lukas Vrabec - 3.14.2-17 +- Add dac_override capability to remote_login_t domain +- Allow chrome_sandbox_t to mmap tmp files +- Update ulogd SELinux security policy +- Allow rhsmcertd_t domain send signull to apache processes +- Allow systemd socket activation for modemmanager +- Allow geoclue to dbus chat with systemd +- Fix file contexts on conntrackd policy +- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE +- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets +- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t +- Allow nscd_t domain to be system dbusd client +- Allow abrt_t domain to read sysctl +- Add dac_read_search capability for tangd +- Allow systemd socket activation for rshd domain +- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t +- Allow kdump_t domain to map /boot files +- Allow conntrackd_t domain to send msgs to syslog +- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t +- Allow swnserve_t domain to stream connect to sasl domain +- Allow smbcontrol_t to create dirs with samba_var_t label +- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) +- Allow tangd to read public sssd files BZ(1509054) +- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) +- Allow ctdb_t domain modify ctdb_exec_t files +- Allow firewalld_t domain to create netlink_netfilter sockets +- Allow radiusd_t domain to read network sysctls +- Allow pegasus_t domain to mount tracefs_t filesystem +- Allow create systemd to mount pid files +- Add files_map_boot_files() interface +- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) +- Fix typo xserver SELinux module +- Allow systemd to mmap files with var_log_t label +- Allow x_userdomains read/write to xserver session + * Mon Apr 30 2018 Lukas Vrabec - 3.14.2-16 - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session diff --git a/sources b/sources index 48fece5..fcc9dc1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-718d75d.tar.gz) = 176da6f3835a17e21e8e0c7377130a90bd2bcd1807cb60ee5eb9070ba843793660ca059d63296236aca98d810b68e1b72cd98e1d351ebe3a46274be1de418137 -SHA512 (selinux-policy-contrib-4f6a859.tar.gz) = 3f2ac4cf26466a324adcc952286c20254cbd0e40149b9948eb623b03804ec056355deefa231dd9e4910097f5b0874f358f1731b68b47c746859a2f02adab23a6 -SHA512 (container-selinux.tgz) = 847b4649718df078e824e344adb95868ed272a4133ac39147b2afac54289ffbd62584b540f6744fbd1b945573ce23e6dbcc425d780d37b5894a1ca5b4cca177e +SHA512 (selinux-policy-cab8dc9.tar.gz) = d922ec08de3f8a47b312b00d9a64a73466e230b3e8344768f95d762b5e1f52f3d99b77ee5d5901ff76d3ecfa315daecbec428ef6f1a4b9322588ff8fc721f4ae +SHA512 (selinux-policy-contrib-19624b4.tar.gz) = 25a8fb5a856dc8cb5f2ab42bb9a16371488172393ba8fbcb4aa35f021b00dd9ccd5e40f3fd249799e38bdb6a3461da6ef7b8794ce0250209cad789258959d8fe +SHA512 (container-selinux.tgz) = 04f324dcf9ecc426157686679201eac943cc535a6d33dec9d7da221585170bc2af89a076a00fc35a10fa0d8be6acce877f19e427bcea5598d72b47f698534ff8