diff --git a/.gitignore b/.gitignore index b9c630a..73b701f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-contrib-2d82882.tar.gz -SOURCES/selinux-policy-ec7e4fd.tar.gz +SOURCES/selinux-policy-420bacb.tar.gz +SOURCES/selinux-policy-contrib-876387c.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 9aede89..c1bc4dd 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -cbdfd8953bf11fddf74ca36bda2ee718b8a0d753 SOURCES/container-selinux.tgz -8ac8c4756d731805b29dac09cf522172a96bcbcb SOURCES/selinux-policy-contrib-2d82882.tar.gz -b26706c162ed902446942e79c199f478d43dc0ae SOURCES/selinux-policy-ec7e4fd.tar.gz +a5fc34a7fbfd13a2b86609bdea0bcc2b312163d1 SOURCES/container-selinux.tgz +3756201d4d69bb4834cfaac8aff3398a1d8b482c SOURCES/selinux-policy-420bacb.tar.gz +4de0c405f689cec37c49a8fc5054990f0fa27007 SOURCES/selinux-policy-contrib-876387c.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 79d90f6..5cd9c1b 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 ec7e4fda601e7952f1b3c60bddd7b176362789a4 +%global commit0 420bacb2c1f970da8f6b71d3338c1968bc1926db %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 2d8288242e1cc2086cb322e5414420b87a76d776 +%global commit1 876387c1df207a8364eacd41e6c0b89d13bba8c3 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 44%{?dist} +Release: 48%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -715,6 +715,106 @@ exit 0 %endif %changelog +* Mon Jun 29 2020 Zdenek Pytela - 3.14.3-48 +- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t +Resolves: rhbz#1836820 + +* Mon Jun 29 2020 Zdenek Pytela - 3.14.3-47 +- Allow virtlogd_t manage virt lib files +Resolves: rhbz#1832756 +- Allow pdns server to read system state +Resolves: rhbz#1801214 +- Support systemctl --user in machinectl +Resolves: rhbz#1788616 +- Allow chkpwd_t read and write systemd-machined devpts character nodes +Resolves: rhbz#1788616 +- Allow init_t write to inherited systemd-logind sessions pipes +Resolves: rhbz#1788616 +- Label systemd-growfs and systemd-makefs as fsadm_exec_t +Resolves: rhbz#1820798 +- Allow staff_u and user_u setattr generic usb devices +Resolves: rhbz#1783325 +- Allow sysadm_t dbus chat with accountsd +Resolves: rhbz#1828809 + +* Tue Jun 23 2020 Zdenek Pytela - 3.14.3-46 +- Fix description tag for the sssd_connect_all_unreserved_ports tunable +Related: rhbz#1826748 +- Allow journalctl process set its resource limits +Resolves: rhbz#1825894 +- Add sssd_access_kernel_keys tunable to conditionally access kernel keys +Resolves: rhbz#1802062 +- Make keepalived work with network namespaces +Resolves: rhbz#1815281 +- Create sssd_connect_all_unreserved_ports boolean +Resolves: rhbz#1826748 +- Allow hypervkvpd to request kernel to load a module +Resolves: rhbz#1842414 +- Allow systemd_private_tmp(dirsrv_tmp_t) +Resolves: rhbz#1836820 +- Allow radiusd connect to gssproxy over unix domain stream socket +Resolves: rhbz#1813572 +- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' +Resolves: rhbz#1832231 +- Modify kernel_rw_key() not to include append permission +Related: rhbz#1802062 +- Add kernel_rw_key() interface to access to kernel keyrings +Related: rhbz#1802062 +- Modify systemd_delete_private_tmp() to use delete_*_pattern macros +Resolves: rhbz#1836820 +- Allow systemd-modules to load kernel modules +Resolves: rhbz#1823246 +- Add cachefiles_dev_t as a typealias to cachefiles_device_t +Resolves: rhbz#1814796 + +* Mon Jun 15 2020 Zdenek Pytela - 3.14.3-45 +- Remove files_mmap_usr_files() call for particular domains +Related: rhbz#1801214 +- Allow dirsrv_t list cgroup directories +Resolves: rhbz#1836795 +- Create the kerberos_write_kadmind_tmp_files() interface +Related: rhbz#1841488 +- Allow realmd_t dbus chat with accountsd_t +Resolves: rhbz#1792895 +- Allow nagios_plugin_domain execute programs in bin directories +Resolves: rhbz#1815621 +- Update allow rules set for nrpe_t domain +Resolves: rhbz#1750821 +- Allow Gluster mount client to mount files_type +Resolves: rhbz#1753626 +- Allow qemu-kvm read and write /dev/mapper/control +Resolves: rhbz#1835909 +- Introduce logrotate_use_cifs boolean +Resolves: rhbz#1795923 +- Allow ptp4l_t sys_admin capability to run bpf programs +Resolves: rhbz#1759214 +- Allow rhsmd mmap /etc/passwd +Resolves: rhbz#1814644 +- Remove files_mmap_usr_files() call for systemd_localed_t +Related: rhbz#1801214 +- Allow domain mmap usr_t files +Resolves: rhbz#1801214 +- Allow libkrb5 lib read client keytabs +Resolves: rhbz#1831769 +- Add files_dontaudit_manage_boot_dirs() interface +Related: rhbz#1803868 +- Create files_create_non_security_dirs() interface +Related: rhbz#1840265 +- Add new interface dev_mounton_all_device_nodes() +Related: rhbz#1840265 +- Add new interface dev_create_all_files() +Related: rhbz#1840265 +- Allow sshd write to kadmind temporary files +Resolves: rhbz#1841488 +- Create init_create_dirs boolean to allow init create directories +Resolves: rhbz#1832231 +- Do not audit staff_t and user_t attempts to manage boot_t entries +Resolves: rhbz#1803868 +- Allow systemd to relabel all files on system. +Resolves: rhbz#1818981 +- Make dbus-broker service working on s390x arch +Resolves: rhbz#1840265 + * Wed May 20 2020 Zdenek Pytela - 3.14.3-44 - Make boinc_var_lib_t label system mountdir attribute Resolves: rhbz#1779070