From c8c754cba37703fbb505517090f130c4eb59188d Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 26 2019 08:28:53 +0000 Subject: * Fri Jul 26 2019 Lukas Vrabec - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources --- diff --git a/.gitignore b/.gitignore index 122358d..0d828d8 100644 --- a/.gitignore +++ b/.gitignore @@ -387,3 +387,5 @@ serefpolicy* /selinux-policy-f1ee18a.tar.gz /selinux-policy-contrib-2e0b14e.tar.gz /selinux-policy-8935967.tar.gz +/selinux-policy-contrib-da6544c.tar.gz +/selinux-policy-2f909f9.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 8ceb499..15979cf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 89359670764aa34dd1e03fae712cfd08dc00b3fd +%global commit0 2f909f93138b6b66f8a6bc62afdbe5598da00f29 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 2e0b14ec0adfc0c5b0865d3ec09a30a9cfe996c6 +%global commit1 da6544c44b41dc3bd64d333437619f05577d1a96 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.4 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -787,6 +787,39 @@ exit 0 %endif %changelog +* Fri Jul 26 2019 Lukas Vrabec - 3.14.4-25 +- Allow spamd_update_t domain to read network state of system BZ(1733172) +- Allow dlm_controld_t domain to transition to the lvm_t +- Allow sandbox_web_client_t domain to do sys_chroot in user namespace +- Allow virtlockd process read virtlockd.conf file +- Add more permissions for session dbus types to make working dbus broker with systemd user sessions +- Allow sssd_t domain to read gnome config and named cache files +- Allow brltty to request to load kernel module +- Add svnserve_tmp_t label forl svnserve temp files to system private tmp +- Allow sssd_t domain to read kernel net sysctls BZ(1732185) +- Run timedatex service as timedatex_t +- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool +- Allow cyrus work with PrivateTmp +- Make cgdcbxd_t domain working with SELinux enforcing. +- Make working wireshark execute byt confined users staff_t and sysadm_t +- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) +- Allow svnserve_t domain to read system state +- allow named_t to map named_cache_t files +- Label user cron spool file with user_cron_spool_t +- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession +- Allow lograte_t domain to manage collect_rw_content files and dirs +- Add interface collectd_manage_rw_content() +- Allow ifconfig_t domain to manage vmware logs +- Remove system_r role from staff_u user. +- Make new timedatex policy module active +- Add systemd_private_tmp_type attribute +- Allow systemd to load kernel modules during boot process. +- Allow sysadm_t and staff_t domains to read wireshark shared memory +- Label /usr/libexec/utempter/utempter as utemper_exec_t +- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) +- Allow sysadm_t domain to create netlink selinux sockets +- Make cgdcbxd active in Fedora upstream sources + * Wed Jul 17 2019 Lukas Vrabec - 3.14.4-24 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession diff --git a/sources b/sources index 2cc4cfe..868ac39 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-2e0b14e.tar.gz) = 9a36911c82c26a80bc742dccae340aa8e31dbd6e0bef9bc6ac0366ea4c6ac8779ebd537a7a8c6e4e3764e33a536c6103ffa74b60d7d013adf31ecee393b959ea -SHA512 (selinux-policy-8935967.tar.gz) = da08e88ff01eb236bea8ea90286c53900396559af4f9ba439166f3f6800e6b4d61480b1d54c358ae9f149e5eefbac00683a5f0c96386ec2aa61afc8cf447e5d5 -SHA512 (container-selinux.tgz) = 59ec026e8c06f2b8cd01fdfedd47249d97f828f23c6532e4ff7b80becfd5ed00a69f706f26e80e736c477b9d7460f8ad6c4f9bbb74b8c78c5c2b1ee067f70747 +SHA512 (selinux-policy-contrib-da6544c.tar.gz) = 74160f1993a5fa024e9f558167b77668ad10a65776d392bb2fcd0bb97dc1ef0d7e8e21a32840789d4b5078db48f474a42ef1b586fd7208a07f07d616e0f0dfbd +SHA512 (selinux-policy-2f909f9.tar.gz) = d3f005caaf635f0600ad69c0cc41b82ef98c07c3d6d9dca1908bdf9bcd816b8ee2dbd68a094108bf1551388f99edc64fadfcd8b2b1cd84a3cf4531e7613f40ce SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 +SHA512 (container-selinux.tgz) = aeecf9c5e91d14b379c14161e2b38e9abecf21f1f943d37d132ad83073abfa23f9c1ef6edb6d27a82b6facff58120c4c2569b5274bf8928901ab920137585ff0