From a9b321b3cc804c6d719fd179b969bc7026437391 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Dec 20 2019 16:01:21 +0000 Subject: * Fri Dec 20 2019 Zdenek Pytela - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. --- diff --git a/.gitignore b/.gitignore index 1cd8583..2daec17 100644 --- a/.gitignore +++ b/.gitignore @@ -427,3 +427,5 @@ serefpolicy* /selinux-policy-contrib-46d44de.tar.gz /selinux-policy-ae2c4ae.tar.gz /selinux-policy-4881d15.tar.gz +/selinux-policy-contrib-43e2de6.tar.gz +/selinux-policy-789c659.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index d29ed6a..b5846b6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 4881d15bc1acac413e0ba897de088850cada4de4 +%global commit0 789c6593214fa10b15d2c628822cffe985417f5a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 46d44de3590ea9fcb0f227ea577c7ebf445eddfd +%global commit1 43e2de656ea04a4309c98039a1fcddf416ef6dba %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.5 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -789,6 +789,30 @@ exit 0 %endif %changelog +* Fri Dec 20 2019 Zdenek Pytela - 3.14.5-19 +- Allow init_t nnp domain transition to kmod_t +- Allow userdomain dbus chat with systemd_resolved_t +- Allow init_t read and setattr on /var/lib/fprintd +- Allow sysadm_t dbus chat with colord_t +- Allow confined users run fwupdmgr +- Allow confined users run machinectl +- Allow systemd labeled as init_t domain to create dirs labeled as var_t +- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) +- Add new file context rabbitmq_conf_t. +- Allow journalctl read init state BZ(1731753) +- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces +- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain +- Change type in transition for /var/cache/{dnf,yum} directory +- Allow cockpit_ws_t read efivarfs_t BZ(1777085) +- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) +- Allow named_t domain to mmap named_zone_t files BZ(1647493) +- Make boinc_var_lib_t label system mountdir attribute +- Allow stratis_t domain to request load modules +- Update fail2ban policy +- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) +- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. +- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. + * Thu Nov 28 2019 Lukas Vrabec - 3.14.5-18 - Allow systemd to read all proc - Introduce new type pdns_var_lib_t diff --git a/sources b/sources index 9f98e43..f213b19 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-46d44de.tar.gz) = ba119d77e63cf069deaef68ddd83db4ad07ea9c5c2d7a66bebab6dfbcebe8b6d7cface3c92a6e9353026a14284d6741d72938ec97d9ee78375bdbb9d24c09d87 -SHA512 (selinux-policy-4881d15.tar.gz) = b378e0be4bd1ec3dbd4eaa5f04a0aca19ab904a4caaa93ee018f8c27724ebc6c2d3dc0e557dbe0cf6a99b417d1dac4f46c460b7941fe3e896411655576ee09f0 -SHA512 (container-selinux.tgz) = fa22c0b233965184692ccf139c270718505b6cf83d270fbc0c4da3c9baae702612167b082d08eeb77a050c3ebe9ee0424ea7ef9b8be437da32b071a4e5338bdd +SHA512 (selinux-policy-contrib-43e2de6.tar.gz) = 56d01491f88f3a40db6cbe059b9b406dd15e254bb1eb7f3faee5635653986b2800bbbf15a66e0f9b972d1b5bae5ac3bc1d9ca207e5cf7a185a08a0347d3a9159 +SHA512 (selinux-policy-789c659.tar.gz) = 73a87e1f4b357211d34ed2e8029f2ab08afee33992a6c97119b091e92cb0d704a877f5cb2191a07bd92b348d7cfba782c27a47130fde69de21d6a3d3edf15b78 +SHA512 (container-selinux.tgz) = 813577b352bdfb4d0fd1bcba54f55a4d368512b7db3395a3a192205fe76485f9ff7994bc1fe610a27192f7e22818d7b8a2ab0a0128eff7f3387e481cfb0c1961 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4