diff --git a/.gitignore b/.gitignore index 99a0d94..b7ef001 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-141c3fd.tar.gz +SOURCES/selinux-policy-0b21d4c.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 72cb13e..9c4150c 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,2 +1,2 @@ -76b98420bd78a14b2421e1f14680b6bfe60fcfdf SOURCES/container-selinux.tgz -fc88dd3c49d79e37c37b32014241fa85b457daa4 SOURCES/selinux-policy-141c3fd.tar.gz +a405401da19909415b7ee69e2b2cdfed0c0fb03d SOURCES/container-selinux.tgz +b281e81483dc3f6b56caa221d3b42930ee0b7f37 SOURCES/selinux-policy-0b21d4c.tar.gz diff --git a/SOURCES/booleans-targeted.conf b/SOURCES/booleans-targeted.conf index 8789a08..274d3cc 100644 --- a/SOURCES/booleans-targeted.conf +++ b/SOURCES/booleans-targeted.conf @@ -12,8 +12,6 @@ pppd_can_insmod = false privoxy_connect_any = true selinuxuser_direct_dri_enabled = true selinuxuser_execmem = true -selinuxuser_execmod = true -selinuxuser_execstack = true selinuxuser_rw_noexattrfile=true selinuxuser_ping = true squid_connect_any = true diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 0e66811..61f027d 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2663,3 +2663,10 @@ stratisd = module # ica # ica = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 07e9de0..c5f39f4 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 141c3fde08c02097e0b6fa179a33cc17371e9a22 +%global commit 0b21d4c0c4587cf2f8503a27109b729394bc68c1 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -23,7 +23,7 @@ %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 34.1.22 +Version: 34.1.26 Release: 1%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz @@ -792,6 +792,94 @@ exit 0 %endif %changelog +* Thu Feb 17 2022 Zdenek Pytela - 34.1.26-1 +- Remove permissive domain for insights_client_t +Resolves: rhbz#2055823 +- New policy for insight-client +Resolves: rhbz#2055823 +- Allow confined sysadmin to use tool vipw +Resolves: rhbz#2053458 +- Allow chage domtrans to sssd +Resolves: rhbz#2054657 +- Remove label for /usr/sbin/bgpd +Resolves: rhbz#2055578 +- Dontaudit pkcsslotd sys_admin capability +Resolves: rhbz#2055639 +- Do not change selinuxuser_execmod and selinuxuser_execstack +Resolves: rhbz#2055822 +- Allow tuned to read rhsmcertd config files +Resolves: rhbz#2055823 + +* Mon Feb 14 2022 Zdenek Pytela - 34.1.25-1 +- Allow systemd watch unallocated ttys +Resolves: rhbz#2054150 +- Allow alsa bind mixer controls to led triggers +Resolves: rhbz#2049732 +- Allow alsactl set group Process ID of a process +Resolves: rhbz#2049732 +- Allow unconfined to run virtd bpf +Resolves: rhbz#2033504 + +* Fri Feb 04 2022 Zdenek Pytela - 34.1.24-1 +- Allow tumblerd write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow login_userdomain write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow login_userdomain create session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow gkeyringd_domain write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow systemd-logind delete session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow gdm-x-session write to session dbus tmp sock files +Resolves: rhbz#2000039 +- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t +Resolves: rhbz#2039453 +- Label exFAT utilities at /usr/sbin +Resolves: rhbz#1972225 + +* Wed Feb 02 2022 Zdenek Pytela - 34.1.23-1 +- Allow systemd nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t +Resolves: rhbz#2000039 +- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling +Resolves: rhbz#2000039 +- Allow scripts to enter LUKS password +Resolves: rhbz#2048521 +- Allow system_mail_t read inherited apache system content rw files +Resolves: rhbz#2049372 +- Add apache_read_inherited_sys_content_rw_files() interface +Related: rhbz#2049372 +- Allow sanlock get attributes of filesystems with extended attributes +Resolves: rhbz#2047811 +- Associate stratisd_data_t with device filesystem +Resolves: rhbz#2039974 +- Allow init read stratis data symlinks +Resolves: rhbz#2039974 +- Label /run/stratisd with stratisd_var_run_t +Resolves: rhbz#2039974 +- Allow domtrans to sssd_t and role access to sssd +Resolves: rhbz#2039757 +- Creating interface sssd_run_sssd() +Resolves: rhbz#2039757 +- Fix badly indented used interfaces +Resolves: rhbz#2039757 +- Allow domain transition to sssd_t +Resolves: rhbz#2039757 +- Label /dev/nvme-fabrics with fixed_disk_device_t +Resolves: rhbz#2039759 +- Allow local_login_t nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Allow xdm_t nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Make cupsd_lpd_t a daemon +Resolves: rhbz#2039449 +- Label utilities for exFAT filesystems with fsadm_exec_t +Resolves: rhbz#1972225 +- Dontaudit sfcbd sys_ptrace cap_userns +Resolves: rhbz#2040311 + * Tue Jan 11 2022 Zdenek Pytela - 34.1.22-1 - Allow sshd read filesystem sysctl files Resolves: rhbz#2036585