From 946180c0d0749abf9a3dc4d0344f236c16eb862c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 28 2020 12:31:06 +0000 Subject: import selinux-policy-3.14.3-48.el8 --- diff --git a/.gitignore b/.gitignore index 9a0c058..73b701f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-contrib-20346b0.tar.gz -SOURCES/selinux-policy-d76fcee.tar.gz +SOURCES/selinux-policy-420bacb.tar.gz +SOURCES/selinux-policy-contrib-876387c.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 6669515..c1bc4dd 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -ebdfca6c003d85c7ef844b24ddcce74f6a00fb0d SOURCES/container-selinux.tgz -6c9e28f9df02de9eab3afee49ed11a5231bcf860 SOURCES/selinux-policy-contrib-20346b0.tar.gz -251b98b0076ddfe2dc4ffac49838c089cbe90be7 SOURCES/selinux-policy-d76fcee.tar.gz +a5fc34a7fbfd13a2b86609bdea0bcc2b312163d1 SOURCES/container-selinux.tgz +3756201d4d69bb4834cfaac8aff3398a1d8b482c SOURCES/selinux-policy-420bacb.tar.gz +4de0c405f689cec37c49a8fc5054990f0fa27007 SOURCES/selinux-policy-contrib-876387c.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index b4c1356..5cd9c1b 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 d76fceec695c24f195633137f40b5dacba5a8759 +%global commit0 420bacb2c1f970da8f6b71d3338c1968bc1926db %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 20346b0f238e84d0ad58bc1a3c96f6ed3fb1da3d +%global commit1 876387c1df207a8364eacd41e6c0b89d13bba8c3 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 30%{?dist} +Release: 48%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -715,6 +715,211 @@ exit 0 %endif %changelog +* Mon Jun 29 2020 Zdenek Pytela - 3.14.3-48 +- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t +Resolves: rhbz#1836820 + +* Mon Jun 29 2020 Zdenek Pytela - 3.14.3-47 +- Allow virtlogd_t manage virt lib files +Resolves: rhbz#1832756 +- Allow pdns server to read system state +Resolves: rhbz#1801214 +- Support systemctl --user in machinectl +Resolves: rhbz#1788616 +- Allow chkpwd_t read and write systemd-machined devpts character nodes +Resolves: rhbz#1788616 +- Allow init_t write to inherited systemd-logind sessions pipes +Resolves: rhbz#1788616 +- Label systemd-growfs and systemd-makefs as fsadm_exec_t +Resolves: rhbz#1820798 +- Allow staff_u and user_u setattr generic usb devices +Resolves: rhbz#1783325 +- Allow sysadm_t dbus chat with accountsd +Resolves: rhbz#1828809 + +* Tue Jun 23 2020 Zdenek Pytela - 3.14.3-46 +- Fix description tag for the sssd_connect_all_unreserved_ports tunable +Related: rhbz#1826748 +- Allow journalctl process set its resource limits +Resolves: rhbz#1825894 +- Add sssd_access_kernel_keys tunable to conditionally access kernel keys +Resolves: rhbz#1802062 +- Make keepalived work with network namespaces +Resolves: rhbz#1815281 +- Create sssd_connect_all_unreserved_ports boolean +Resolves: rhbz#1826748 +- Allow hypervkvpd to request kernel to load a module +Resolves: rhbz#1842414 +- Allow systemd_private_tmp(dirsrv_tmp_t) +Resolves: rhbz#1836820 +- Allow radiusd connect to gssproxy over unix domain stream socket +Resolves: rhbz#1813572 +- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' +Resolves: rhbz#1832231 +- Modify kernel_rw_key() not to include append permission +Related: rhbz#1802062 +- Add kernel_rw_key() interface to access to kernel keyrings +Related: rhbz#1802062 +- Modify systemd_delete_private_tmp() to use delete_*_pattern macros +Resolves: rhbz#1836820 +- Allow systemd-modules to load kernel modules +Resolves: rhbz#1823246 +- Add cachefiles_dev_t as a typealias to cachefiles_device_t +Resolves: rhbz#1814796 + +* Mon Jun 15 2020 Zdenek Pytela - 3.14.3-45 +- Remove files_mmap_usr_files() call for particular domains +Related: rhbz#1801214 +- Allow dirsrv_t list cgroup directories +Resolves: rhbz#1836795 +- Create the kerberos_write_kadmind_tmp_files() interface +Related: rhbz#1841488 +- Allow realmd_t dbus chat with accountsd_t +Resolves: rhbz#1792895 +- Allow nagios_plugin_domain execute programs in bin directories +Resolves: rhbz#1815621 +- Update allow rules set for nrpe_t domain +Resolves: rhbz#1750821 +- Allow Gluster mount client to mount files_type +Resolves: rhbz#1753626 +- Allow qemu-kvm read and write /dev/mapper/control +Resolves: rhbz#1835909 +- Introduce logrotate_use_cifs boolean +Resolves: rhbz#1795923 +- Allow ptp4l_t sys_admin capability to run bpf programs +Resolves: rhbz#1759214 +- Allow rhsmd mmap /etc/passwd +Resolves: rhbz#1814644 +- Remove files_mmap_usr_files() call for systemd_localed_t +Related: rhbz#1801214 +- Allow domain mmap usr_t files +Resolves: rhbz#1801214 +- Allow libkrb5 lib read client keytabs +Resolves: rhbz#1831769 +- Add files_dontaudit_manage_boot_dirs() interface +Related: rhbz#1803868 +- Create files_create_non_security_dirs() interface +Related: rhbz#1840265 +- Add new interface dev_mounton_all_device_nodes() +Related: rhbz#1840265 +- Add new interface dev_create_all_files() +Related: rhbz#1840265 +- Allow sshd write to kadmind temporary files +Resolves: rhbz#1841488 +- Create init_create_dirs boolean to allow init create directories +Resolves: rhbz#1832231 +- Do not audit staff_t and user_t attempts to manage boot_t entries +Resolves: rhbz#1803868 +- Allow systemd to relabel all files on system. +Resolves: rhbz#1818981 +- Make dbus-broker service working on s390x arch +Resolves: rhbz#1840265 + +* Wed May 20 2020 Zdenek Pytela - 3.14.3-44 +- Make boinc_var_lib_t label system mountdir attribute +Resolves: rhbz#1779070 +- Allow aide to be executed by systemd with correct (aide_t) domain +Resolves: rhbz#1814809 +- Allow chronyc_t domain to use nsswitch +Resolves: rhbz#1772852 +- Allow nscd_socket_use() for domains in nscd_use() unconditionally +Resolves: rhbz#1772852 +- Allow gluster geo-replication in rsync mode +Resolves: rhbz#1831109 +- Update networkmanager_read_pid_files() to allow also list_dir_perms +Resolves: rhbz#1781818 +- Allow associating all labels with CephFS +Resolves: bz#1814689 +- Allow tcpdump sniffing offloaded (RDMA) traffic +Resolves: rhbz#1834773 + +* Fri Apr 17 2020 Zdenek Pytela - 3.14.3-43 +- Update radiusd policy +Resolves: rhbz#1803407 +- Allow sssd read NetworkManager's runtime directory +Resolves: rhbz#1781818 +- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t +Resolves: rhbz#1777506 +- Allow ipa_helper_t to read kr5_keytab_t files +Resolves: rhbz#1769423 +- Add ibacm_t ipc_lock capability +Resolves: rhbz#1754719 +- Allow opafm_t to create and use netlink rdma sockets. +Resolves: rhbz#1786670 +- Allow ptp4l_t create and use packet_socket sockets +Resolves: rhbz#1759214 +- Update ctdbd_t policy +Resolves: rhbz#1735748 +- Allow glusterd synchronize between master and slave +Resolves: rhbz#1824662 +- Allow auditd poweroff or switch to single mode +Resolves: rhbz#1826788 +- Allow init_t set the nice level of all domains +Resolves: rhbz#1819121 +- Label /etc/sysconfig/ip6?tables\.save as system_conf_t +Resolves: rhbz#1776873 +- Add file context entry and file transition for /var/run/pam_timestamp +Resolves: rhbz#1791957 + +* Wed Apr 08 2020 Zdenek Pytela - 3.14.3-42 +- Allow ssh-keygen create file in /var/lib/glusterd +Resolves: rhbz#1816663 +- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files +Resolves: rhbz#1819243 +- Remove container interface calling by named_filetrans_domain. +- Makefile: fix tmp/%.mod.fc target +Resolves: rhbz#1821191 + +* Mon Mar 16 2020 Zdenek Pytela - 3.14.3-41 +- Allow NetworkManager read its unit files and manage services +- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t +Resolves: rhbz#1806894 + +* Tue Feb 18 2020 Lukas Vrabec - 3.14.3-40 +- Update virt_read_qemu_pid_files inteface +Resolves: rhbz#1782925 + +* Sat Feb 15 2020 Lukas Vrabec - 3.14.3-39 +- Allow vhostmd communication with hosted virtual machines +- Add and update virt interfaces +Resolves: rhbz#1782925 + +* Tue Jan 28 2020 Zdenek Pytela - 3.14.3-38 +- Dontaudit timedatex_t read file_contexts_t and validate security contexts +Resolves: rhbz#1779098 + +* Tue Jan 21 2020 Lukas Vrabec - 3.14.3-37 +- Make stratisd_t domain unconfined for RHEL-8.2 +Resolves: rhbz#1791557 +- stratisd_t policy updates +Resolves: rhbz#1791557 + +* Thu Jan 16 2020 Lukas Vrabec - 3.14.3-36 +- Label /stratis as stratisd_data_t +Resolves: rhbz#1791557 + +* Tue Jan 14 2020 Lukas Vrabec - 3.14.3-35 +- Allow stratisd_t domain to read/write fixed disk devices and removable devices. +Resolves: rhbz#1790795 + +* Mon Jan 13 2020 Lukas Vrabec - 3.14.3-34 +- Added macro for stratisd to chat over dbus +- Add dac_override capability to stratisd_t domain +- Allow userdomain to chat with stratisd over dbus. +Resolves: rhbz#1787298 + +* Fri Jan 10 2020 Lukas Vrabec - 3.14.3-33 +- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory +Resolves: rhbz#1778126 + +* Wed Jan 08 2020 Lukas Vrabec - 3.14.3-32 +- Allow create udp sockets for abrt_upload_watch_t domains +Resolves: rhbz#1777761 + +* Wed Jan 08 2020 Lukas Vrabec - 3.14.3-31 +- Allow sssd_t domain to read kernel net sysctls +Resolves: rhbz#1777042 + * Fri Dec 13 2019 Zdenek Pytela - 3.14.3-30 - Allow userdomain dbus chat with systemd_resolved_t Resolves: rhbz#1773463