From dfde7d3e7a06ac42f4ba124b8e4fc5e0400c343e Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: May 22 2023 07:00:23 +0000 Subject: * Mon May 22 2023 Zdenek Pytela - 38.13-1 - Add initial policy for cifs-helper - Label key.dns_resolver with keyutils_dns_resolver_exec_t - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t - Allow some systemd services write to cgroup files - Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files - Allow systemd resolved to bind to arbitrary nodes - Allow plymouthd_t bpf capability to run bpf programs - Allow cupsd to create samba_var_t files - Allow rhsmcert request the kernel to load a module - Allow virsh name_connect virt_port_t - Allow certmonger manage cluster library files - Allow plymouthd read init process state - Add chromium_sandbox_t setcap capability - Allow snmpd read raw disk data - Allow samba-rpcd work with passwords - Allow unconfined service inherit signal state from init - Allow cloud-init manage gpg admin home content - Allow cluster_t dbus chat with various services - Allow nfsidmapd work with systemd-userdbd and sssd - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes - Allow plymouthd map dri and framebuffer devices - Allow rpmdb_migrate execute rpmdb - Allow logrotate dbus chat with systemd-hostnamed - Allow icecast connect to kernel using a unix stream socket - Allow lldpad connect to systemd-userdbd over a unix socket - Allow journalctl open user domain ptys and ttys - Allow keepalived to manage its tmp files - Allow ftpd read network sysctls - Label /run/bgpd with zebra_var_run_t - Allow gssproxy read network sysctls - Add the cifsutils module --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 367f29d..80902f2 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2712,3 +2712,10 @@ rshim = module # keyutils # keyutils = module + +# Layer: contrib +# Module: cifsutils +# +# cifsutils - Utilities for managing CIFS mounts +# +cifsutils = module diff --git a/selinux-policy.spec b/selinux-policy.spec index 15f6583..fc4999c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 61c90a7ada38cbbeaaef3b299b784721fe3c60c2 +%global commit 6b599716fa1b29325fd2f2cf9af3fc25dfe9336e %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -23,7 +23,7 @@ %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 38.12 +Version: 38.13 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz @@ -813,6 +813,39 @@ exit 0 %endif %changelog +* Mon May 22 2023 Zdenek Pytela - 38.13-1 +- Add initial policy for cifs-helper +- Label key.dns_resolver with keyutils_dns_resolver_exec_t +- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t +- Allow some systemd services write to cgroup files +- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files +- Allow systemd resolved to bind to arbitrary nodes +- Allow plymouthd_t bpf capability to run bpf programs +- Allow cupsd to create samba_var_t files +- Allow rhsmcert request the kernel to load a module +- Allow virsh name_connect virt_port_t +- Allow certmonger manage cluster library files +- Allow plymouthd read init process state +- Add chromium_sandbox_t setcap capability +- Allow snmpd read raw disk data +- Allow samba-rpcd work with passwords +- Allow unconfined service inherit signal state from init +- Allow cloud-init manage gpg admin home content +- Allow cluster_t dbus chat with various services +- Allow nfsidmapd work with systemd-userdbd and sssd +- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes +- Allow plymouthd map dri and framebuffer devices +- Allow rpmdb_migrate execute rpmdb +- Allow logrotate dbus chat with systemd-hostnamed +- Allow icecast connect to kernel using a unix stream socket +- Allow lldpad connect to systemd-userdbd over a unix socket +- Allow journalctl open user domain ptys and ttys +- Allow keepalived to manage its tmp files +- Allow ftpd read network sysctls +- Label /run/bgpd with zebra_var_run_t +- Allow gssproxy read network sysctls +- Add the cifsutils module + * Tue Apr 25 2023 Zdenek Pytela - 38.12-1 - Allow telnetd read network sysctls - Allow munin system plugin read generic SSL certificates diff --git a/sources b/sources index 9b62529..b8a626a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-61c90a7.tar.gz) = 084c2da710551f31d0e04cbd3c013f5896da657d6af20a3c0d81cc4a083e5de04bc168ba3539c347c77750dc8c0c40326e14839f33577133182eb7848daf471a +SHA512 (selinux-policy-6b59971.tar.gz) = c51022f6e34123de157513441a1f55aef1bedc0bb3df084d8788fb1a1b76eac2bb1d1b76356927effb52ed61b48cd6a9fd1fe7013b001aa8b7f96c8126e71ee5 +SHA512 (container-selinux.tgz) = 511a3ba18b57f0bf7a496f8d5796e0d6ccf08485be13f65e5d84919aaebc9f56b24372867d56f3fd87e0d9cfb4fdb918d2453912bf289f487d5c290e20da4d8a SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 -SHA512 (container-selinux.tgz) = 3b16723e4505d1a7e42e86e0c14d8b672ddef139064f485d5ae0327566a0edf75c91746f934d27e81d0cdbcc005b468966a203b1d5d6933d0665d9035199ac4d