From 898cba37079b933d8f902b98afb986b9f255ea00 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 27 2022 14:18:03 +0000 Subject: import selinux-policy-34.1.41-1.el9 --- diff --git a/.gitignore b/.gitignore index 4f75e87..207ad92 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-9dcf505.tar.gz +SOURCES/selinux-policy-63e80c0.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 718aac7..2271b45 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,2 +1,2 @@ -ff295d4c0bb4af2a3972c810f93a7fb2c17fbf27 SOURCES/container-selinux.tgz -be1161ae8772afa2747bf1cf58d59828934ba05a SOURCES/selinux-policy-9dcf505.tar.gz +f41207ff670544c6b3c0bb578c47ed5f1977a173 SOURCES/container-selinux.tgz +beca74c63ac29151f2b2dc1a3861cd7bafaefe63 SOURCES/selinux-policy-63e80c0.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 61f027d..923a23e 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2670,3 +2670,24 @@ ica = module # insights_client # insights_client = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum index 8207eed..66af860 100644 --- a/SOURCES/users-minimum +++ b/SOURCES/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SOURCES/users-mls b/SOURCES/users-mls index 05d2671..8fad9ea 100644 --- a/SOURCES/users-mls +++ b/SOURCES/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted index 8207eed..a875306 100644 --- a/SOURCES/users-targeted +++ b/SOURCES/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 196e803..928364b 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 9dcf505fec91d3cc2feae61d9b76726a98dd6b98 +%global commit 63e80c0f2e0d58ce6c28201dab17927594c4b5db %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -19,11 +19,11 @@ %define BUILD_MLS 1 %endif %define POLICYVER 33 -%define POLICYCOREUTILSVER 3.3-5 +%define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 34.1.28 +Version: 34.1.41 Release: 1%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz @@ -139,6 +139,7 @@ and some additional files. %dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* +%exclude %{_usr}/share/selinux/devel/include/contrib/container.if %dir %{_datadir}/selinux/devel/html %{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*css @@ -584,7 +585,7 @@ fi exit 0 -%triggerin -- pcre +%triggerin -- pcre2 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB exit 0 @@ -793,6 +794,283 @@ exit 0 %endif %changelog +* Thu Aug 25 2022 Nikola Knazekova - 34.1.41-1 +- Allow unconfined domains to bpf all other domains +Resolves: RHBZ#2112014 +- Allow stalld get and set scheduling policy of all domains. +Resolves: rhbz#2105038 +- Allow unconfined_t transition to targetclid_home_t +Resolves: RHBZ#2106360 +- Allow samba-bgqd to read a printer list +Resolves: rhbz#2118977 +- Allow system_dbusd ioctl kernel with a unix stream sockets +Resolves: rhbz#2085392 +- Allow chronyd bind UDP sockets to ptp_event ports. +Resolves: RHBZ#2118631 +- Update tor_bind_all_unreserved_ports interface +Resolves: RHBZ#2089486 +- Remove permissive domain for rhcd_t +Resolves: rhbz#2119351 +- Allow unconfined and sysadm users transition for /root/.gnupg +Resolves: rhbz#2121125 +- Add gpg_filetrans_admin_home_content() interface +Resolves: rhbz#2121125 +- Update rhcd policy for executing additional commands +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution +Resolves: rhbz#2119507 +- Add rpm setattr db files macro +Resolves: rhbz#2119507 +- Add userdom_view_all_users_keys() interface +Resolves: rhbz#2119507 +- Allow gpg read and write generic pty type +Resolves: rhbz#2119507 +- Allow chronyc read and write generic pty type +Resolves: rhbz#2119507 + +* Wed Aug 10 2022 Nikola Knazekova - 34.1.40-1 +- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd +Resolves: RHBZ#2088257 +- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t +Resolves: RHBZ#1976684 +- Allow samba-bgqd get a printer list +Resolves: rhbz#2112395 +- Allow networkmanager to signal unconfined process +Resolves: RHBZ#2074414 +- Update NetworkManager-dispatcher policy +Resolves: RHBZ#2101910 +- Allow openvswitch search tracefs dirs +Resolves: rhbz#1988164 +- Allow openvswitch use its private tmpfs files and dirs +Resolves: rhbz#1988164 +- Allow openvswitch fsetid capability +Resolves: rhbz#1988164 + +* Tue Aug 02 2022 Nikola Knazekova - 34.1.39-1 +- Add support for systemd-network-generator +Resolves: RHBZ#2111069 +- Allow systemd work with install_t unix stream sockets +Resolves: rhbz#2111206 +- Allow sa-update to get init status and start systemd files +Resolves: RHBZ#2061844 + +* Fri Jul 15 2022 Nikola Knazekova - 34.1.38-1 +- Allow some domains use sd_notify() +Resolves: rhbz#2056565 +- Revert "Allow rabbitmq to use systemd notify" +Resolves: rhbz#2056565 +- Update winbind_rpcd_t +Resolves: rhbz#2102084 +- Update chronyd_pid_filetrans() to allow create dirs +Resolves: rhbz#2101910 +- Allow keepalived read the contents of the sysfs filesystem +Resolves: rhbz#2098130 +- Define LIBSEPOL version 3.4-1 +Resolves: rhbz#2095688 + +* Wed Jun 29 2022 Zdenek Pytela - 34.1.37-1 +- Allow targetclid read /var/target files +Resolves: rhbz#2020169 +- Update samba-dcerpcd policy for kerberos usage 2 +Resolves: rhbz#2096521 +- Allow samba-dcerpcd work with sssd +Resolves: rhbz#2096521 +- Allow stalld set scheduling policy of kernel threads +Resolves: rhbz#2102224 + +* Tue Jun 28 2022 Zdenek Pytela - 34.1.36-1 +- Allow targetclid read generic SSL certificates (fixed) +Resolves: rhbz#2020169 +- Fix file context pattern for /var/target +Resolves: rhbz#2020169 +- Use insights_client_etc_t in insights_search_config() +Resolves: rhbz#1965013 + +* Fri Jun 24 2022 Zdenek Pytela - 34.1.35-1 +-Add the corecmd_watch_bin_dirs() interface +Resolves: rhbz#1965013 +- Update rhcd policy +Resolves: rhbz#1965013 +- Allow rhcd search insights configuration directories +Resolves: rhbz#1965013 +- Add the kernel_read_proc_files() interface +Resolves: rhbz#1965013 +- Update insights_client_filetrans_named_content() +Resolves: rhbz#2081425 +- Allow transition to insights_client named content +Resolves: rhbz#2081425 +- Add the insights_client_filetrans_named_content() interface +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands 3 +Resolves: rhbz#2081425 +- Allow insights-client execute its private memfd: objects +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands 2 +Resolves: rhbz#2081425 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +Resolves: rhbz#2081425 +- Change space indentation to tab in insights-client +Resolves: rhbz#2081425 +- Use socket permissions sets in insights-client +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands +Resolves: rhbz#2081425 +- Allow init_t to rw insights_client unnamed pipe +Resolves: rhbz#2081425 +- Fix insights client +Resolves: rhbz#2081425 +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +Resolves: rhbz#2081425 +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +Resolves: rhbz#2081425 +- Allow stalld get scheduling policy of kernel threads +Resolves: rhbz#2096776 +- Update samba-dcerpcd policy for kerberos usage +Resolves: rhbz#2096521 +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +Resolves: rhbz#2096255 +- Allow dlm_controld send a null signal to a cluster daemon +Resolves: rhbz#2095884 +- Allow dhclient manage pid files used by chronyd +The chronyd_manage_pid_files() interface was added. +- Resolves: rhbz#2094155 +Allow install_t nnp_domtrans to setfiles_mac_t +- Resolves: rhbz#2073010 +- Allow rabbitmq to use systemd notify +Resolves: rhbz#2056565 +- Allow ksmctl create hardware state information files +Resolves: rhbz#2021131 +- Label /var/target with targetd_var_t +Resolves: rhbz#2020169 +- Allow targetclid read generic SSL certificates +Resolves: rhbz#2020169 + +* Thu Jun 09 2022 Zdenek Pytela - 34.1.34-1 +- Allow stalld setsched and sys_nice +Resolves: rhbz#2092864 +- Allow rhsmcertd to create cache file in /var/cache/cloud-what +Resolves: rhbz#2092333 +- Update policy for samba-dcerpcd +Resolves: rhbz#2083509 +- Add support for samba-dcerpcd +Resolves: rhbz#2083509 +- Allow rabbitmq to access its private memfd: objects +Resolves: rhbz#2056565 +- Confine targetcli +Resolves: rhbz#2020169 +- Add policy for wireguard +Resolves: 1964862 +- Label /var/cache/insights with insights_client_cache_t +Resolves: rhbz#2062136 +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +Resolves: rhbz#2094489 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +Resolves: rhbz#2081907 + +* Fri May 27 2022 Zdenek Pytela - 34.1.33-1 +- Allow insights-client manage gpg admin home content +Resolves: rhbz#2062136 +- Add the gpg_manage_admin_home_content() interface +Resolves: rhbz#2062136 +- Add rhcd policy +Resolves: bz#1965013 +- Allow svirt connectto virtlogd +Resolves: rhbz#2000881 +- Add ksm service to ksmtuned +Resolves: rhbz#2021131 +- Allow nm-privhelper setsched permission and send system logs +Resolves: rhbz#2053639 +- Update the policy for systemd-journal-upload +Resolves: rhbz#2085369 +- Allow systemd-journal-upload watch logs and journal +Resolves: rhbz#2085369 +- Create a policy for systemd-journal-upload +Resolves: rhbz#2085369 +- Allow insights-client create and use unix_dgram_socket +Resolves: rhbz#2087765 +- Allow insights-client search gconf homedir +Resolves: rhbz#2087765 + +* Wed May 11 2022 Zdenek Pytela - 34.1.32-1 +- Dontaudit guest attempts to dbus chat with systemd domains +Resolves: rhbz#2062740 +- Dontaudit guest attempts to dbus chat with system bus types +Resolves: rhbz#2062740 +- Fix users for SELinux userspace 3.4 +Resolves: rhbz#2079290 +- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template +Resolves: rhbz#2076681 +- Allow systemd-sleep get removable devices attributes +Resolves: rhbz#2082404 +- Allow systemd-sleep tlp_filetrans_named_content() +Resolves: rhbz#2082404 +- Allow systemd-sleep execute generic programs +Resolves: rhbz#2082404 +- Allow systemd-sleep execute shell +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to sysstat_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to tlp_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to unconfined_service_t on bin_t executables +Resolves: rhbz#2082404 +- allow systemd-sleep to set timer for suspend-then-hibernate +Resolves: rhbz#2082404 +- Add default fc specifications for patterns in /opt +Resolves: rhbz#2081059 +- Use a named transition in systemd_hwdb_manage_config() +Resolves: rhbz#2061725 + +* Wed May 04 2022 Nikola Knazekova - 34.1.31-2 +- Remove "v" from the package version + +* Mon May 02 2022 Nikola Knazekova - v34.1.31-1 +- Label /var/run/machine-id as machineid_t +Resolves: rhbz#2061680 +- Allow insights-client create_socket_perms for tcp/udp sockets +Resolves: rhbz#2077377 +- Allow insights-client read rhnsd config files +Resolves: rhbz#2077377 +- Allow rngd drop privileges via setuid/setgid/setcap +Resolves: rhbz#2076642 +- Allow tmpreaper the sys_ptrace userns capability +Resolves: rhbz#2062823 +- Add stalld to modules.conf +Resolves: rhbz#2042614 +- New policy for stalld +Resolves: rhbz#2042614 +- Label new utility of NetworkManager nm-priv-helper +Resolves: rhbz#2053639 +- Exclude container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Tue Apr 19 2022 Zdenek Pytela - 34.1.30-2 +- Update source branches to build a new package for RHEL 9.1.0 + +* Tue Apr 12 2022 Nikola Knazekova - 34.1.30-1 +- Allow administrative users the bpf capability +Resolves: RHBZ#2070982 +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow hostapd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow fprintd read and write hardware state information +Resolves: rhbz#2062911 +- Allow fenced read kerberos key tables +Resolves: RHBZ#2060722 +- Allow init watch and watch_reads user ttys +Resolves: rhbz#2060289 +- Allow systemd watch and watch_reads console devices +Resolves: rhbz#2060289 +- Allow nmap create and use rdma socket +Resolves: RHBZ#2059603 + +* Thu Mar 31 2022 Zdenek Pytela - 34.1.29-1 +- Allow qemu-kvm create and use netlink rdma sockets +Resolves: rhbz#2063612 +- Label corosync-cfgtool with cluster_exec_t +Resolves: rhbz#2061277 + * Thu Mar 24 2022 Zdenek Pytela - 34.1.28-1 - Allow logrotate a domain transition to cluster administrative domain Resolves: rhbz#2061277