From a5887e268492d2f3d15d22daaa8da0570ce1c89e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 11:17:05 +0000 Subject: import selinux-policy-3.14.3-79.el8 --- diff --git a/.gitignore b/.gitignore index 656c76a..67c68c4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-33fd484.tar.gz -SOURCES/selinux-policy-contrib-4beb213.tar.gz +SOURCES/selinux-policy-8f56f63.tar.gz +SOURCES/selinux-policy-contrib-2a53cd0.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 36c1b3a..e3b3eb8 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -99c5dc0dbb5f824b2cc29d18e8911401677e0bb1 SOURCES/container-selinux.tgz -4da13e377b1e178962423475a04832ed39581394 SOURCES/selinux-policy-33fd484.tar.gz -45d3dbd0265f43953376baacdbc070a566eb429b SOURCES/selinux-policy-contrib-4beb213.tar.gz +0d1a0214195d9519327846c21d7ac90b7da218c1 SOURCES/container-selinux.tgz +672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz +6e84adfa8c88519a3c24f6f8426d59868bcd6050 SOURCES/selinux-policy-contrib-2a53cd0.tar.gz diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist index f64b231..0f127d9 100644 --- a/SOURCES/file_contexts.subs_dist +++ b/SOURCES/file_contexts.subs_dist @@ -17,3 +17,4 @@ /var/roothome /root /sbin /usr/sbin /sysroot/tmp /tmp +/var/usrlocal /usr/local diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 7c6c66d..de87626 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -720,13 +720,6 @@ git = module # glance = module -# Layer: contrib -# Module: glusterd -# -# policy for glusterd service -# -glusterd = module - # Layer: apps # Module: gnome # @@ -2012,7 +2005,7 @@ timidity = off tmpreaper = module # Layer: contrib -# Module: glusterd +# Module: tomcat # # policy for tomcat service # diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index fc9caf0..ae88789 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 33fd4847deb2522105cfba82da5efb707025934c +%global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 4beb213356f6020d4ea6635dda6842cef88fb357 +%global commit1 2a53cd02bd0d06568ecc549b15321f658d00babd %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 65%{?dist} +Release: 79%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -715,6 +715,220 @@ exit 0 %endif %changelog +* Fri Aug 27 2021 Zdenek Pytela - 3.14.3-79 +- Introduce xdm_manage_bootloader booelan +Resolves: rhbz#1994096 +- Rename samba_exec() to samba_exec_net() +Resolves: rhbz#1855215 +- Allow sssd to set samba setting +Resolves: rhbz#1855215 +- Allow dirsrv read slapd tmpfs files +Resolves: rhbz#1843238 +- Allow rhsmcertd to create cache file in /var/cache/cloud-what +Resolves: rhbz#1994718 + +* Wed Aug 25 2021 Zdenek Pytela - 3.14.3-78 +- Label /usr/bin/Xwayland with xserver_exec_t +Resolves: rhbz#1984584 +- Label /usr/libexec/gdm-runtime-config with xdm_exec_t +Resolves: rhbz#1984584 +- Allow D-bus communication between avahi and sosreport +Resolves: rhbz#1916397 +- Allow lldpad send to kdumpctl over a unix dgram socket +Resolves: rhbz#1979121 +- Revert "Allow lldpad send to kdump over a unix dgram socket" +Resolves: rhbz#1979121 +- Allow chronyc respond to a user chronyd instance +Resolves: rhbz#1993104 +- Allow ptp4l respond to pmc +Resolves: rhbz#1993104 +- Allow lldpad send to unconfined_t over a unix dgram socket +Resolves: rhbz#1993270 + +* Thu Aug 12 2021 Zdenek Pytela - 3.14.3-77 +- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" +Resolves: rhbz#1887739 +- Allow sysadm to read/write scsi files and manage shadow +Resolves: rhbz#1956302 +- Allow rhsmcertd execute gpg +Resolves: rhbz#1887572 +- Allow lldpad send to kdump over a unix dgram socket +Resolves: rhbz#1979121 +- Remove glusterd SELinux module from distribution policy +Resolves: rhbz#1816718 + +* Tue Aug 10 2021 Zdenek Pytela - 3.14.3-76 +- Allow login_userdomain read and map /var/lib/systemd files +Resolves: rhbz#1965251 +- Allow sysadm acces to kernel module resources +Resolves: rhbz#1965251 +- Allow sysadm to read/write scsi files and manage shadow +Resolves: rhbz#1965251 +- Allow sysadm access to files_unconfined and bind rpc ports +Resolves: rhbz#1965251 +- Allow sysadm read and view kernel keyrings +Resolves: rhbz#1965251 +- Allow bootloader to read tuned etc files +Resolves: rhbz#1965251 +- Update the policy for systemd-journal-upload +Resolves: rhbz#1913414 +- Allow journal mmap and read var lib files +Resolves: rhbz#1965251 +- Allow tuned to read rhsmcertd config files +Resolves: rhbz#1965251 +- Allow bootloader to read tuned etc files +Resolves: rhbz#1965251 +- Confine rhsm service and rhsm-facts service as rhsmcertd_t +Resolves: rhbz#1846081 +- Allow virtlogd_t read process state of user domains +Resolves: rhbz#1797899 +- Allow cockpit_ws_t get attributes of fs_t filesystems +Resolves: rhbz#1979182 + +* Thu Jul 29 2021 Zdenek Pytela - 3.14.3-75 +- Add the unconfined_dgram_send() interface +Resolves: rhbz#1978562 +- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() +Resolves: rhbz#1936522 +- Add checkpoint_restore cap2 capability +Resolves: rhbz#1973325 +- Allow fcoemon talk with unconfined user over unix domain datagram socket +Resolves: rhbz#1978562 +- Allow hostapd bind UDP sockets to the dhcpd port +Resolves: rhbz#1977676 +- Allow NetworkManager read and write z90crypt device +Resolves: rhbz#1938203 +- Allow abrt_domain read and write z90crypt device +Resolves: rhbz#1938203 +- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t +Resolves: rhbz#1937111 +- Allow mdadm read iscsi pid files +Resolves: rhbz#1924716 + +* Fri Jul 16 2021 Zdenek Pytela - 3.14.3-74 +- Allow dyntransition from sshd_t to unconfined_t +Resolves: rhbz#1947841 + +* Wed Jul 14 2021 Zdenek Pytela - 3.14.3-73 +- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template +Resolves: rhbz#1947841 +- Allow transition from xdm domain to unconfined_t domain. +Resolves: rhbz#1947841 +- Allow nftables read NetworkManager unnamed pipes +Resolves: rhbz#1967857 +- Create a policy for systemd-journal-upload +Resolves: rhbz#1913414 +- Add dev_getattr_infiniband_dev() interface. +Resolves: rhbz#1972522 +- Allow tcpdump and nmap get attributes of infiniband_device_t +Resolves: rhbz#1972522 +- Allow fcoemon create sysfs files +Resolves: rhbz#1978562 +- Allow nftables read NetworkManager unnamed pipes +Resolves: rhbz#1967857 +- Allow radius map its library files +Resolves: rhbz#1854650 +- Allow arpwatch get attributes of infiniband_device_t devices +Resolves: rhbz#1936522 + +* Tue Jun 29 2021 Zdenek Pytela - 3.14.3-72 +- Allow systemd-sleep get attributes of fixed disk device nodes +Resolves: rhbz#1931460 +- Allow systemd-sleep create hardware state information files +Resolves: rhbz#1968610 +- virtiofs supports Xattrs and SELinux +Resolves: rhbz#1899703 +- Label 4460/tcp port as ntske_port_t +Resolves: rhbz#1961207 +- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. +Resolves: rhbz#1961207 +- Allow chronyd_t to accept and make NTS-KE connections +Resolves: rhbz#1961207 +- Dontaudit NetworkManager write to initrc_tmp_t pipes +Resolves: rhbz#1963162 +- Allow logrotate rotate container log files +Resolves: rhbz#1892170 +- Allow rhsmd read process state of all domains and kernel threads +Resolves: rhbz#1878020 + +* Tue Jun 15 2021 Zdenek Pytela - 3.14.3-71 +- Allow nmap create and use rdma socket +Resolves: rhbz#1844530 +- Label /.k5identity file allow read of this file to rpc.gssd +Resolves: rhbz#1951093 +- Label /var/lib/kdump with kdump_var_lib_t +Resolves: rhbz#1965985 +- Label /run/libvirt/common with virt_common_var_run_t +Resolves: rhbz#1966842 + +* Wed Jun 09 2021 Zdenek Pytela - 3.14.3-70 +- Allow using opencryptoki for ipsec +Resolves: rhbz#1894132 +- Remove all kernel_getattr_proc() interface calls +Resolves: rhbz#1967125 +- Allow domain stat /proc filesystem +Resolves: rhbz#1967125 +- Allow pkcs-slotd create and use netlink_kobject_uevent_socket +Resolves: rhbz#1969725 +- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() +Resolves: rhbz#1894132 +- Allow using opencryptoki for certmonger +Resolves: rhbz#1894132 +- install_t: Allow NoNewPriv transition from systemd +Resolves: rhbz#1955547 +- Remove all kernel_getattr_proc() interface calls +Resolves: rhbz#1967125 +- Allow httpd_sys_script_t read, write, and map hugetlbfs files +Resolves: rhbz#1966133 + +* Wed Jun 02 2021 Zdenek Pytela - 3.14.3-69 +- Add /var/usrlocal equivalency rule +Resolves: rhbz#1943381 +- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t +Resolves: rhbz#1943381 +- Label /dev/trng with random_device_t +Resolves: rhbz#1934483 +- Allow systemd-sleep transition to sysstat_t +Resolves: rhbz#1927551 +- Allow systemd-sleep transition to tlp_t +Resolves: rhbz#1927551 +- Allow systemd-sleep transition to unconfined_service_t on bin_t executables +Resolves: rhbz#1927551 +- Allow systemd-sleep execute generic programs +Resolves: rhbz#1948070 +- Allow systemd-sleep execute shell +Resolves: rhbz#1954358 +- Allow nsswitch_domain read init pid lnk_files +Resolves: rhbz#1860924 +- Introduce logging_syslogd_list_non_security_dirs tunable +Resolves: rhbz#1823669 +- Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_t +Resolves: rhbz#1927551 +- Change param description in cron interfaces to userdomain_prefix +Resolves: rhbz#1801249 +- Add missing declaration in rpm_named_filetrans() +Resolves: rhbz#1801249 + +* Thu May 20 2021 Zdenek Pytela - 3.14.3-68 +- Allow pluto IKEv2 / ESP over TCP +Resolves: rhbz#1931848 +- Label SDC(scini) Dell Driver +Resolves: rhbz#1936882 +- Add file context specification for /var/tmp/tmp-inst +Resolves: rhbz#1919253 +- Allow virtlogd_t to create virt_var_lockd_t dir +Resolves: rhbz#1941464 +- Allow cups-lpd read its private runtime socket files +Resolves: rhbz#1919399 + +* Mon Mar 15 2021 Zdenek Pytela - 3.14.3-67 +- Allow systemd the audit_control capability conditionally +Resolves: rhbz#1861771 + +* Thu Mar 04 2021 Zdenek Pytela - 3.14.3-66 +- Disallow user_t run su/sudo and staff_t run su +Resolves: rhbz#1907517 + * Mon Feb 22 2021 Zdenek Pytela - 3.14.3-65 - Relabel /usr/sbin/charon-systemd as ipsec_exec_t Resolves: rhbz#1889542