From cb2aec1c58ec656bd3f2f3de7ee7e9bdbdeea890 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 27 2022 20:08:29 +0000 Subject: import selinux-policy-3.14.3-107.el8 --- diff --git a/.gitignore b/.gitignore index dbd5186..7927dee 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-642155b.tar.gz -SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz +SOURCES/selinux-policy-9db72ed.tar.gz +SOURCES/selinux-policy-contrib-5e2c252.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 7d300f0..ea1df3e 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -e531ed72bd4055f40cb0152b1f81842c96af37c5 SOURCES/container-selinux.tgz -26b6cee1e1baf47309bfc5055781869abb589a2d SOURCES/selinux-policy-642155b.tar.gz -17a4e399dbf5dd7266a5bf3904aad633e3889351 SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz +37036a3f9ec27f942a2b186db25f3c0551784c4e SOURCES/container-selinux.tgz +d9e66219a3c1a29e8af4da26ed471297d3281fcc SOURCES/selinux-policy-9db72ed.tar.gz +dd2ac90c589a5a5110bf578b014754b69f2232c7 SOURCES/selinux-policy-contrib-5e2c252.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index f7b074a..1826dad 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 642155b226a48d3edbdc1a13fb9a9fece74140f7 +%global commit0 9db72ed4345b0f26e798cb301f306fb4ee303844 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 0e4a7a0e5879fd49a239fb71e000c4967fe98eca +%global commit1 5e2c252146f379cd25df50de97816f6771d9d79b %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 93%{?dist} +Release: 107%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -148,7 +148,7 @@ SELinux policy development and man page package %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* -%ghost %{_sharedstatedir}/sepolgen/interface_info +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info %post devel selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null @@ -717,6 +717,226 @@ exit 0 %endif %changelog +* Thu Aug 25 2022 Zdenek Pytela - 3.14.3-107 +- Label 319/udp port with ptp_event_port_t +Resolves: rhbz#2118628 +- Allow unconfined and sysadm users transition for /root/.gnupg +Resolves: rhbz#2119507 +- Add the kernel_read_proc_files() interface +Resolves: rhbz#2119507 +- Add userdom_view_all_users_keys() interface +Resolves: rhbz#2119507 +- Allow system_cronjob_t domtrans to rpm_script_t +Resolves: rhbz#2118362 +- Allow smbd_t process noatsecure permission for winbind_rpcd_t +Resolves: rhbz#2117199 +- Allow chronyd bind UDP sockets to ptp_event ports +Resolves: rhbz#2118628 +- Allow samba-bgqd to read a printer list +Resolves: rhbz#2118958 +- Add gpg_filetrans_admin_home_content() interface +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution +Resolves: rhbz#2119507 +- Allow gpg read and write generic pty type +Resolves: rhbz#2119507 +- Allow chronyc read and write generic pty type +Resolves: rhbz#2119507 +- Disable rpm verification on interface_info +Resolves: rhbz#2119472 + +* Wed Aug 10 2022 Zdenek Pytela - 3.14.3-106 +- Allow networkmanager to signal unconfined process +Resolves: rhbz#1918148 +- Allow sa-update to get init status and start systemd files +Resolves: rhbz#2011239 +- Allow samba-bgqd get a printer list +Resolves: rhbz#2114737 +- Allow insights-client rpm named file transitions +Resolves: rhbz#2104913 +- Add /var/tmp/insights-archive to insights_client_filetrans_named_content +Resolves: rhbz#2104913 +- Use insights_client_filetrans_named_content +Resolves: rhbz#2104913 +- Make default file context match with named transitions +Resolves: rhbz#2104913 +- Allow rhsmcertd to read insights config files +Resolves: rhbz#2104913 +- Label /etc/insights-client/machine-id +Resolves: rhbz#2104913 + +* Fri Jul 29 2022 Zdenek Pytela - 3.14.3-105 +- Do not call systemd_userdbd_stream_connect() for winbind-rpcd +Resolves: rhbz#2108383 +- Update winbind_rpcd_t +Resolves: rhbz#2108383 +- Allow irqbalance file transition for pid sock_files and directories +Resolves: rhbz#2111916 +- Update irqbalance runtime directory file context +Resolves: rhbz#2111916 + +* Tue Jun 28 2022 Zdenek Pytela - 3.14.3-104 +- Update samba-dcerpcd policy for kerberos usage 2 +Resolves: rhbz#2096825 + +* Mon Jun 27 2022 Zdenek Pytela - 3.14.3-103 +- Allow domain read usermodehelper state information +Resolves: rhbz#2083504 +- Remove all kernel_read_usermodehelper_state() interface calls +Resolves: rhbz#2083504 +- Allow samba-dcerpcd work with sssd +Resolves: rhbz#2096825 +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +Resolves: rhbz#2096825 +- Update samba-dcerpcd policy for kerberos usage +Resolves: rhbz#2096825 +- Allow keepalived read the contents of the sysfs filesystem +Resolves: rhbz#2098189 +- Update policy for samba-dcerpcd +Resolves: rhbz#2083504 +- Remove all kernel_read_usermodehelper_state() interface calls 2/2 +Resolves: rhbz#2083504 +- Update insights_client_filetrans_named_content() +Resolves: rhbz#2091117 + +* Wed Jun 22 2022 Zdenek Pytela - 3.14.3-102 +- Allow transition to insights_client named content +Resolves: rhbz#2091117 +- Add the insights_client_filetrans_named_content() interface +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands 3 +Resolves: rhbz#2091117 + +* Fri Jun 17 2022 Zdenek Pytela - 3.14.3-101 +- Add the init_status_config_transient_files() interface +Resolves: rhbz#2091117 +- Allow init_t to rw insights_client unnamed pipe +Resolves: rhbz#2091117 +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +Resolves: rhbz#2091117 +- Allow insights-client get status of the systemd transient scripts +Resolves: rhbz#2091117 +- Allow insights-client execute its private memfd: objects +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands 2 +Resolves: rhbz#2091117 +- Do not call systemd_userdbd_stream_connect() for insights-client +Resolves: rhbz#2091117 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +Resolves: rhbz#2091117 +- Change space indentation to tab in insights-client +Resolves: rhbz#2091117 +- Use socket permissions sets in insights-client +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands +Resolves: rhbz#2091117 +- Change rpm_setattr_db_files() to use a pattern +Resolves: rhbz#2091117 +- Add rpm setattr db files macro +Resolves: rhbz#2091117 +- Fix insights client +Resolves: rhbz#2091117 +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +Resolves: rhbz#2091117 + +* Tue Jun 07 2022 Zdenek Pytela - 3.14.3-100 +- Update logging_create_generic_logs() to use create_files_pattern() +Resolves: rhbz#2081907 +- Add the auth_read_passwd_file() interface +Resolves: rhbz#2083504 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +Resolves: rhbz#2081907 +- Add support for samba-dcerpcd +Resolves: rhbz#2083504 +- Allow rhsmcertd create generic log files +Resolves: rhbz#1852086 +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +Resolves: rhbz#2090800 + +* Mon May 23 2022 Zdenek Pytela - 3.14.3-99 +- Allow ifconfig_t domain to manage vmware logs +Resolves: rhbz#1721943 +- Allow insights-client manage gpg admin home content +Resolves: rhbz#2060834 +- Add the gpg_manage_admin_home_content() interface +Resolves: rhbz#2060834 +- Label /var/cache/insights with insights_client_cache_t +Resolves: rhbz#2063195 +- Allow insights-client search gconf homedir +Resolves: rhbz#2087069 +- Allow insights-client create and use unix_dgram_socket +Resolves: rhbz#2087069 +- Label more vdsm utils with virtd_exec_t +Resolves: rhbz#2063871 +- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t +Resolves: rhbz#2063871 +- Allow sblim-gatherd the kill capability +Resolves: rhbz#2082677 +- Allow privoxy execmem +Resolves: rhbz#2083940 + +* Wed May 04 2022 Zdenek Pytela - 3.14.3-98 +- Allow sysadm user execute init scripts with a transition +Resolves: rhbz#2039662 +- Change invalid type redisd_t to redis_t in redis_stream_connect() +Resolves: rhbz#1897517 +- Allow php-fpm write access to /var/run/redis/redis.sock +Resolves: rhbz#1897517 +- Allow sssd read systemd-resolved runtime directory +Resolves: rhbz#2060721 +- Allow postfix stream connect to cyrus through runtime socket +Resolves: rhbz#2066005 +- Allow insights-client create_socket_perms for tcp/udp sockets +Resolves: rhbz#2073395 +- Allow insights-client read rhnsd config files +Resolves: rhbz#2073395 +- Allow sblim-sfcbd connect to sblim-reposd stream +Resolves: rhbz#2075810 +- Allow rngd drop privileges via setuid/setgid/setcap +Resolves: rhbz#2076641 +- Allow rngd_t domain to use nsswitch +Resolves: rhbz#2076641 + +* Fri Apr 22 2022 Nikola Knazekova - 3.14.3-97 +- Create macro corenet_icmp_bind_generic_node() +Resolves: rhbz#2070870 +- Allow traceroute_t and ping_t to bind generic nodes. +Resolves: rhbz#2070870 +- Allow administrative users the bpf capability +Resolves: rhbz#2070983 +- Allow insights-client search rhnsd configuration directory +Resolves: rhbz#2073395 +- Allow ntlm_auth read the network state information +Resolves: rhbz#2073349 +- Allow keepalived setsched and sys_nice +Resolves: rhbz#2008033 +- Revert "Allow administrative users the bpf capability" +Resolves: rhbz#2070983 + + +* Thu Apr 07 2022 Zdenek Pytela - 3.14.3-96 +- Add interface rpc_manage_exports +Resolves: rhbz#2062183 +- Allow sshd read filesystem sysctl files +Resolves: rhbz#2061403 +- Update targetd nfs & lvm +Resolves: rhbz#2062183 +- Allow dhcpd_t domain to read network sysctls. +Resolves: rhbz#2059509 +- Allow chronyd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2065313 +- Allow fenced read kerberos key tables +Resolves: rhbz#1964839 + +* Thu Mar 24 2022 Zdenek Pytela - 3.14.3-95 +- Allow hostapd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2068007 + +* Thu Mar 10 2022 Nikola Knazekova nknazeko@redhat.com - 3.14.3-94 +- Allow chronyd send a message to sosreport over datagram socket +- Allow systemd-logind dbus chat with sosreport +Resolves: rhbz#2062607 + * Thu Feb 24 2022 Zdenek Pytela - 3.14.3-93 - Allow systemd-networkd dbus chat with sosreport Resolves: rhbz#1949493