diff --git a/.gitignore b/.gitignore index 1a35944..041ee17 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-8a7c84e.tar.gz -SOURCES/selinux-policy-contrib-3fdedc8.tar.gz +SOURCES/selinux-policy-426c028.tar.gz +SOURCES/selinux-policy-contrib-c6da44c.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 39ba78e..d110037 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -d0e11bf7b5ed075673adf6b4f0a273c85b1c45a8 SOURCES/container-selinux.tgz -76b2e33f2f4a051d9b2b4bd4b542146ce867846b SOURCES/selinux-policy-8a7c84e.tar.gz -e03893817cec19f671f3254f424f313af3e3e3ee SOURCES/selinux-policy-contrib-3fdedc8.tar.gz +bbb33f1d3ec06ac961c111b66a324496cbe9768f SOURCES/container-selinux.tgz +8f77181d801751fdd49e7a537b291af8b455ed51 SOURCES/selinux-policy-426c028.tar.gz +84a66625f87ed784dc752c76eca051d058abfa8d SOURCES/selinux-policy-contrib-c6da44c.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 1d08611..0ee5c6b 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 8a7c84e9d530d1ef4bea7895c18095254ed0cb2b +%global commit0 426c028e3d055a6ae74f8bf7cc92107f3e43a5ea %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 3fdedc8e457a69925e40d245785d132185c27fb3 +%global commit1 c6da44cc670eb76341a756f7d338e60cfa7cd8ac %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 108%{?dist}.2 +Release: 117%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -717,59 +717,182 @@ exit 0 %endif %changelog -* Tue Feb 21 2023 Zdenek Pytela - 3.14.3-108.2 -- Add domain_unix_read_all_semaphores() interface -Resolves: rhbz#2170510 -- Add interfaces in domain, files, and unconfined modules -Resolves: rhbz#2170510 +* Thu Feb 16 2023 Zdenek Pytela - 3.14.3-117 +- Fix opencryptoki file names in /dev/shm +Resolves: rhbz#2028637 +- Allow system_cronjob_t transition to rpm_script_t +Resolves: rhbz#2154242 +- Revert "Allow system_cronjob_t domtrans to rpm_script_t" +Resolves: rhbz#2154242 +- Allow httpd work with tokens in /dev/shm +Resolves: rhbz#2028637 +- Allow keepalived to set resource limits +Resolves: rhbz#2168638 +- Allow insights-client manage fsadm pid files + +* Thu Feb 09 2023 Zdenek Pytela - 3.14.3-116 +- Allow sysadm_t run initrc_t script and sysadm_r role access +Resolves: rhbz#2039662 - Allow insights-client manage fsadm pid files -Resolves: rhbz#2170510 +Resolves: rhbz#2166802 +- Add journalctl the sys_resource capability +Resolves: rhbz#2136189 + +* Thu Jan 26 2023 Zdenek Pytela - 3.14.3-115 +- Fix syntax problem in redis.te +Resolves: rhbz#2112228 +- Allow unconfined user filetransition for sudo log files +Resolves: rhbz#2164047 +- Allow winbind-rpcd make a TCP connection to the ldap port +Resolves: rhbz#2152642 +- Allow winbind-rpcd manage samba_share_t files and dirs +Resolves: rhbz#2152642 - Allow insights-client work with su and lpstat -Resolves: rhbz#2170510 +Resolves: rhbz#2134125 - Allow insights-client read nvme devices -Resolves: rhbz#2170510 +Resolves: rhbz#2143878 - Allow insights-client tcp connect to all ports -Resolves: rhbz#2170510 +Resolves: rhbz#2143878 +- Allow redis-sentinel execute a notification script +Resolves: rhbz#2112228 + +* Thu Jan 12 2023 Zdenek Pytela - 3.14.3-114 +- Add interfaces in domain, files, and unconfined modules +Resolves: rhbz#2141311 +- Allow sysadm_t read/write ipmi devices +Resolves: rhbz#2148561 +- Allow sudodomain use sudo.log as a logfile +Resolves: rhbz#2143762 - Add insights additional capabilities -Resolves: rhbz#2170510 +Resolves: rhbz#2158779 - Allow insights client work with gluster and pcp -Resolves: rhbz#2170510 +Resolves: rhbz#2141311 +- Allow prosody manage its runtime socket files +Resolves: rhbz#2157902 +- Allow system mail service read inherited certmonger runtime files +Resolves: rhbz#2143337 +- Add lpr_roles to system_r roles +Resolves: rhbz#2151111 + +* Thu Dec 15 2022 Zdenek Pytela - 3.14.3-113 +- Allow systemd-socket-proxyd get attributes of cgroup filesystems +Resolves: rhbz#2088441 +- Allow systemd-socket-proxyd get filesystems attributes +Resolves: rhbz#2088441 +- Allow sysadm read ipmi devices +Resolves: rhbz#2148561 +- Allow system mail service read inherited certmonger runtime files +Resolves: rhbz#2143337 +- Add lpr_roles to system_r roles +Resolves: rhbz#2151111 - Allow insights-client tcp connect to various ports -Resolves: rhbz#2170510 +Resolves: rhbz#2151111 - Allow insights-client work with pcp and manage user config files -Resolves: rhbz#2170510 +Resolves: rhbz#2151111 - Allow insights-client dbus chat with various services -Resolves: rhbz#2170510 +Resolves: rhbz#2152867 - Allow insights-client dbus chat with abrt -Resolves: rhbz#2170510 +Resolves: rhbz#2152867 +- Allow redis get user names +Resolves: rhbz#2112228 +- Add winbind-rpcd to samba_enable_home_dirs boolean +Resolves: rhbz#2143696 + +* Wed Nov 30 2022 Zdenek Pytela - 3.14.3-112 +- Allow ipsec_t only read tpm devices +Resolves: rhbz#2147380 +- Allow ipsec_t read/write tpm devices +Resolves: rhbz#2147380 +- Label udf tools with fsadm_exec_t +Resolves: rhbz#1972230 +- Allow the spamd_update_t domain get generic filesystem attributes +Resolves: rhbz#2144501 +- Allow cdcc mmap dcc-client-map files +Resolves: rhbz#2144505 - Allow insights client communicate with cupsd, mysqld, openvswitch, redis -Resolves: rhbz#2170510 +Resolves: rhbz#2143878 - Allow insights client read raw memory devices -Resolves: rhbz#2170510 +Resolves: rhbz#2143878 +- Allow winbind-rpcd get attributes of device and pty filesystems +Resolves: rhbz#2107106 +- Allow postfix/smtpd read kerberos key table +Resolves: rhbz#1983308 + +* Fri Nov 11 2022 Zdenek Pytela - 3.14.3-111 +- Add domain_unix_read_all_semaphores() interface +Resolves: rhbz#2141311 +- Allow iptables list cgroup directories +Resolves: rhbz#2134820 +- Allow systemd-hostnamed dbus chat with init scripts +Resolves: rhbz#2111632 +- Allow systemd to read symlinks in /var/lib +Resolves: rhbz#2118784 - Allow insights-client domain transition on semanage execution -Resolves: rhbz#2170510 +Resolves: rhbz#2141311 - Allow insights-client create gluster log dir with a transition -Resolves: rhbz#2170510 +Resolves: rhbz#2141311 - Allow insights-client manage generic locks -Resolves: rhbz#2170510 +Resolves: rhbz#2141311 - Allow insights-client unix_read all domain semaphores -Resolves: rhbz#2170510 +Resolves: rhbz#2141311 +- Allow winbind-rpcd use the terminal multiplexor +Resolves: rhbz#2107106 +- Allow mrtg send mails +Resolves: rhbz#2103675 +- Allow sssd dbus chat with system cronjobs +Resolves: rhbz#2132922 +- Allow postfix/smtp and postfix/virtual read kerberos key table +Resolves: rhbz#1983308 + +* Thu Oct 20 2022 Zdenek Pytela - 3.14.3-110 +- Add the systemd_connectto_socket_proxyd_unix_sockets() interface +Resolves: rhbz#208441 +- Add the dev_map_vhost() interface +Resolves: rhbz#2122920 +- Allow init remount all file_type filesystems +Resolves: rhbz#2122239 +- added policy for systemd-socket-proxyd +Resolves: rhbz#2088441 +- Allow virt_domain map vhost devices +Resolves: rhbz#2122920 +- Allow virt domains to access xserver devices +Resolves: rhbz#2122920 +- Allow rotatelogs read httpd_log_t symlinks +Resolves: rhbz#2030633 +- Allow vlock search the contents of the /dev/pts directory +Resolves: rhbz#2122838 +- Allow system cronjobs dbus chat with setroubleshoot +Resolves: rhbz#2125008 +- Allow ptp4l_t name_bind ptp_event_port_t +Resolves: rhbz#2130168 +- Allow pcp_domain execute its private memfd: objects +Resolves: rhbz#2090711 +- Allow samba-dcerpcd use NSCD services over a unix stream socket +Resolves: rhbz#2121709 +- Allow insights-client manage samba var dirs +Resolves: rhbz#2132230 -* Fri Nov 04 2022 Zdenek Pytela - 3.14.3-108.1 +* Wed Oct 12 2022 Zdenek Pytela - 3.14.3-109 - Add the files_map_read_etc_files() interface -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Allow insights-client manage samba var dirs -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Allow insights-client send null signal to rpm and system cronjob -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Update rhcd policy for executing additional commands 4 -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Allow insights-client connect to postgresql with a unix socket -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Allow insights-client domtrans on unix_chkpwd execution -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 - Add file context entries for insights-client and rhc -Resolves: rhbz#2136762 +Resolves: rhbz#2132230 +- Allow snmpd_t domain to trace processes in user namespace +Resolves: rhbz#2121084 +- Allow sbd the sys_ptrace capability +Resolves: rhbz#2124552 +- Allow pulseaudio create gnome content (~/.config) +Resolves: rhbz#2124387 * Thu Sep 08 2022 Zdenek Pytela - 3.14.3-108 - Allow unconfined_service_t insights client content filetrans