diff --git a/.gitignore b/.gitignore index 2ee29b6..267186c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -SOURCES/config.tgz SOURCES/container-selinux.tgz -SOURCES/selinux-policy-49222dd.tar.gz -SOURCES/selinux-policy-contrib-a81a28a.tar.gz +SOURCES/selinux-policy-9c02e99.tar.gz +SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index fac645b..3b74b98 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,4 +1,3 @@ -260c8b8f890ddf2aba881acc0650cc3b5b0252d1 SOURCES/config.tgz -ef119406ac3c18205334707d428aa92902e78830 SOURCES/container-selinux.tgz -c00ffb50bdd7ad1c165a991710251d84ddba88f8 SOURCES/selinux-policy-49222dd.tar.gz -311efebcca058e89ec9b4a96a7f99a441eed8f77 SOURCES/selinux-policy-contrib-a81a28a.tar.gz +53ade5f3e668c078acfccdf1ec8094ac58f4847a SOURCES/container-selinux.tgz +a39a2f69b1b5871767129babffd3fd3d7f1aca4f SOURCES/selinux-policy-9c02e99.tar.gz +a357a9d089222708f0da5084425992182873bdfe SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist index cde00a1..f64b231 100644 --- a/SOURCES/file_contexts.subs_dist +++ b/SOURCES/file_contexts.subs_dist @@ -12,7 +12,8 @@ /var/lib/xguest/home /home /var/named/chroot/usr/lib64 /usr/lib /var/named/chroot/lib64 /usr/lib -/var/home /home +/home-inst /home +/home/home-inst /home /var/roothome /root /sbin /usr/sbin /sysroot/tmp /tmp diff --git a/SOURCES/macro-expander b/SOURCES/macro-expander new file mode 100644 index 0000000..2670b61 --- /dev/null +++ b/SOURCES/macro-expander @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE || exit 1 + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null || exit 1 +cleanup diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 2c90709..ebff470 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -292,6 +292,13 @@ cfengine = module # cgroup = module +# Layer: contrib +# Module: cgdcbxd +# +# cgdcbxd policy +# +cgdcbxd = module + # Layer: apps # Module: chrome # @@ -2602,13 +2609,6 @@ sbd = module tlp = module # Layer: contrib -# Module: ejabberd -# -# ejabberd -# -ejabberd = module - -# Layer: contrib # Module: conntrackd # # conntrackd @@ -2637,6 +2637,13 @@ ibacm = module opafm = module # Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib # Module: kpatch # # kpatch diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros index a6e8e7c..3eadcbf 100644 --- a/SOURCES/rpm.macros +++ b/SOURCES/rpm.macros @@ -55,7 +55,7 @@ if [ -z "${_policytype}" ]; then \ fi \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ fi \ %{nil} @@ -69,7 +69,7 @@ fi \ if [ $1 -eq 0 ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ fi \ fi \ %{nil} diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 941bfef..32bcd7d 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 49222dd20c1712a7a9aba791f0627025845a24c3 +%global commit0 9c02e9977eedf96c45a26ed4a1d0c5e6c3f2c8d9 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 a81a28a49561ca0890dfb4b79aff47fe2b2568b7 +%global commit1 c8ebb9fb34b06455a41e1ff59626c186d8602452 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -24,14 +24,13 @@ %define BUILD_MLS 1 %endif %define POLICYVER 31 -%define POLICYCOREUTILSVER 2.7-19 -%define CHECKPOLICYVER 2.7-7 +%define POLICYCOREUTILSVER 2.9 +%define CHECKPOLICYVER 2.9 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.14.1 -Release: 61%{?dist}.2 +Version: 3.14.3 +Release: 20%{?dist} License: GPLv2+ -Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz Source1: modules-targeted-base.conf @@ -50,7 +49,6 @@ Source17: booleans-minimum.conf Source18: setrans-minimum.conf Source19: securetty_types-minimum Source20: customizable_types -Source21: config.tgz Source22: users-mls Source23: users-targeted Source25: users-minimum @@ -59,6 +57,12 @@ Source27: selinux-policy.conf Source28: permissivedomains.cil Source30: booleans.subs_dist +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://gitlab.cee.redhat.com/SELinux/macro-expander +Source33: macro-expander + +# Include SELinux policy for container from separate container-selinux repo +# Git repo: https://github.com/containers/container-selinux.git Source35: container-selinux.tgz # Do a factory reset when there's no policy.kern file in a store @@ -68,7 +72,7 @@ Source35: container-selinux.tgz # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros -Url: %{git0-base} +Url: %{git0} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 BuildRequires: gcc @@ -82,7 +86,6 @@ Based off of reference policy: Checked out revision 2.20091117 %files -%defattr(-,root,root,-) %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_usr}/share/selinux @@ -95,7 +98,6 @@ Based off of reference policy: Checked out revision 2.20091117 %package sandbox Summary: SELinux policy sandbox -Group: System Environment/Base Requires(pre): selinux-policy-base = %{version}-%{release} Requires(pre): selinux-policy-targeted = %{version}-%{release} @@ -103,7 +105,6 @@ Requires(pre): selinux-policy-targeted = %{version}-%{release} SELinux sandbox policy used for the policycoreutils-sandbox package %files sandbox -%defattr(-,root,root,-) %verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp %post sandbox @@ -126,7 +127,6 @@ exit 0 %package devel Summary: SELinux policy devel -Group: System Environment/Base Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Requires: m4 checkpolicy >= %{CHECKPOLICYVER} @@ -137,7 +137,7 @@ Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} SELinux policy development and man page package %files devel -%defattr(-,root,root,-) +%{_bindir}/macro-expander %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* @@ -155,7 +155,6 @@ exit 0 %package doc Summary: SELinux policy documentation -Group: System Environment/Base Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} @@ -163,7 +162,6 @@ Requires: selinux-policy = %{version}-%{release} SELinux policy documentation package %files doc -%defattr(-,root,root,-) %{_mandir}/man*/* %{_mandir}/ru/*/* %doc %{_usr}/share/doc/%{name} @@ -276,7 +274,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ /usr/sbin/selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ - /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null > /dev/null; \ + /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ @@ -355,10 +353,9 @@ refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do cp $i selinux_config done -tar zxvf selinux_config/config.tgz %install export PYTHON=%{__python3} @@ -370,6 +367,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +cp %{SOURCE33} %{buildroot}%{_bindir}/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ @@ -422,6 +421,9 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %installFactoryResetFiles mls %endif +# remove leftovers when save-previous=true (semanage.conf) is used +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous + mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs @@ -485,7 +487,6 @@ exit 0 %package targeted Summary: SELinux targeted base policy Provides: selinux-policy-base = %{version}-%{release} -Group: System Environment/Base Obsoletes: selinux-policy-targeted-sources < 2 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils @@ -553,7 +554,6 @@ fi exit 0 %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst -%defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted @@ -564,7 +564,6 @@ exit 0 %package minimum Summary: SELinux minimum base policy Provides: selinux-policy-base = %{version}-%{release} -Group: System Environment/Base Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} @@ -649,7 +648,6 @@ fi exit 0 %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst -%defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum @@ -658,7 +656,6 @@ exit 0 %if %{BUILD_MLS} %package mls Summary: SELinux mls base policy -Group: System Environment/Base Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd @@ -713,19 +710,285 @@ exit 0 %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst -%defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif %changelog -* Mon Aug 05 2019 Lukas Vrabec - 3.14.1-61.2 +* Mon Sep 16 2019 Lukas Vrabec - 3.14.3-20 +- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. +- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label +Resolves: rhbz#1720639 + +* Fri Aug 30 2019 Lukas Vrabec - 3.14.3-19 +- Update cpucontrol_t SELinux policy +Resolves: rhbz#1743930 + +* Mon Aug 19 2019 Lukas Vrabec - 3.14.3-18 +- Allow dlm_controld_t domain to transition to the lvm_t +Resolves: rhbz#1732956 + +* Fri Aug 16 2019 Lukas Vrabec - 3.14.3-17 +- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t +Resolves: rhbz#1669485 +- Fix typo in networkmanager_append_log() interface +Resolves: rhbz#1687460 +- Update gpg policy to make ti working with confined users +Resolves: rhbz#1640296 + +* Wed Aug 14 2019 Lukas Vrabec - 3.14.3-16 +- Allow audisp_remote_t domain to read kerberos keytab +Resolves: rhbz#1740146 + +* Mon Aug 12 2019 Lukas Vrabec - 3.14.3-15 +- Dontaudit abrt_t domain to read root_t files +Resolves: rhbz#1734403 +- Allow ipa_dnskey_t domain to read kerberos keytab +Resolves: rhbz#1730144 +- Update ibacm_t policy +- Allow dlm_controld_t domain setgid capability +Resolves: rhbz#1738608 +- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp +Resolves: rhbz#1740146 +- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs +Resolves: rhbz#1670139 + +* Wed Aug 07 2019 Lukas Vrabec - 3.14.3-14 +- Allow cgdcbxd_t domain to list cgroup dirs +Resolves: rhbz#1651991 + +* Mon Jul 29 2019 Lukas Vrabec - 3.14.3-13 +- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab +Resolves: rhbz#1730144 +- Allow virtlockd process read virtlockd.conf file +Resolves: rhbz#1733185 +- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. +Resolves: rhbz#1733185 +- Allow brltty to request to load kernel module +Resolves: rhbz#1689955 +- Add svnserve_tmp_t label forl svnserve temp files to system private tmp +Resolves: rhbz#1729955 +- Dontaudit svirt_tcg_t domain to read process state of libvirt +Resolves: rhbz#1732500 +- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool +Resolves: rhbz#1732381 +- Allow cyrus work with PrivateTmp +Resolves: rhbz#1725023 +- Make cgdcbxd_t domain working with SELinux enforcing. +Resolves: rhbz#1651991 +- Remove system_r role from staff_u user. +Resolves: rhbz#1677052 +- Add systemd_private_tmp_type attribute +Resolves: rhbz#1725023 +- Allow systemd to load kernel modules during boot process. +Resolves: rhbz#1644805 + +* Fri Jul 19 2019 Lukas Vrabec - 3.14.3-12 +- Make working wireshark execute byt confined users staff_t and sysadm_t +Resolves: rhbz#1712788 +- Label user cron spool file with user_cron_spool_t +Resolves: rhbz#1727342 +- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool +Resolves: rhbz#1668667 +- Update svnserve_t policy to make working svnserve hooks +Resolves: rhbz#1729955 +- Allow varnishlog_t domain to check for presence of varnishd_t domains +Resolves: rhbz#1730270 +- Allow lsmd_t domain to execute /usr/bin/debuginfo-install +Resolves: rhbz#1720648 +- Update sandboxX policy to make working firefox inside SELinux sandbox +Resolves: rhbz#1663874 +- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services +Resolves: rhbz#1695248 +- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices +Resolves: rhbz#1690484 +- Allow opafm_t domain to modify scheduling information of another process. +Resolves: rhbz#1725874 +- Allow gssd_t domain to list tmpfs_t dirs +Resolves: rhbz#1674470 +- Allow mdadm_t domain to read tmpfs_t files +Resolves: rhbz#1669996 +- Allow sbd_t domain to check presence of processes labeled as cluster_t +Resolves: rhbz#1669595 +- Dontaudit httpd_sys_script_t to read systemd unit files +Resolves: rhbz#1670139 +- Allow blkmapd_t domain to read nvme devices +Resolves: rhbz#1669985 +- Update cpucontrol_t domain to make working microcode service +Resolves: rhbz#1669485 +- Allow domain transition from logwatch_t do postfix_postqueue_t +Resolves: rhbz#1669162 +- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' +Resolves: rhbz#1696252 +- Allow httpd_sys_script_t domain to mmap httpdcontent +Resolves: rhbz#1693137 +- Allow sbd_t to manage cgroups_t files +Resolves: rhbz#1715134 +- Update wireshark policy to make working tshar labeled as wireshark_t +Resolves: rhbz#1711005 +- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files +Resolves: rhbz#1719083 - Allow sbd_t domain to use nsswitch -Resolves: rhbz#1733905 - -* Fri May 10 2019 Lukas Vrabec - 3.14.1-61.1 -- Allow unconfined users to use smc unlabeled sockets -Resolves: rhbz#1708098 +Resolves: rhbz#1723498 +- Allow sysadm_t and staff_t domains to read wireshark shared memory +Resolves: rhbz#1712788 +- Label /usr/libexec/utempter/utempter as utemper_exec_t +Resolves: rhbz#1729571 +- Allow unconfined_domain_type to setattr own process lnk files. +Resolves: rhbz#1730500 +- Add interface files_write_generic_pid_sockets() +- Dontaudit writing to user home dirs by gnome-keyring-daemon +Resolves: rhbz#1689797 +- Allow staff and admin domains to setpcap in user namespace +Resolves: rhbz#1673922 +- Allow staff and sysadm to use lockdev +Resolves: rhbz#1673269 +- Allow staff and sysadm users to run iotop. +Resolves: rhbz#1671241 +- Dontaudit traceroute_t domain require sys_admin capability +Resolves: rhbz#1671672 +- Dontaudit dbus chat between kernel_t and init_t +Resolves: rhbz#1669095 +- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t +Resolves: rhbz#1696144 + +* Tue Jul 10 2019 Lukas Vrabec - 3.14.3-11 +- Fix minor changes to pass coverity scan +Resolves: rhbz#1728578 + +* Tue Jul 09 2019 Lukas Vrabec - 3.14.3-10 +- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files +- Label /var/kerberos/krb5 as krb5_keytab_t +Resolves: rhbz#1669975 +- Allow sbd_t domain to manage cgroup dirs +Resolves: rhbz#1715134 +- Allow wireshark_t domain to create netlink netfilter sockets +Resolves: rhbz#1711005 +- Allow gpg_agent_t domain to use nsswitch +Resolves: rhbz#1567073 +- Allow httpd script types to mmap httpd rw content +Resolves: rhbz#1693137 +- Allow confined users to login via cockpit +Resolves: rhbz#1718814 +- Replace "-" by "_" in speechdispatcher types names +- Change condor_domain declaration in condor_systemctl +- Update interface networkmanager_manage_pid_files() to allow manage also dirs +Resolves: rhbz#1720070 +- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files +Resolves: rhbz#1719083 +- Fix all interfaces which cannot by compiled because of typos +Resolves: rhbz#1687460 +- Allow auditd_t domain to send signals to audisp_remote_t domain +Resolves: rhbz#1726659 +- Allow associate efivarfs_t on sysfs_t +Resolves: rhbz#1709747 +- Allow userdomain attribute to manage cockpit_ws_t stream sockets +Resolves: rhbz#1718814 +- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes +- Add interface ssh_agent_signal() +- Dontaudit unpriv_userdomain to manage boot_t files +Resolves: rhbz#1723773 +- Allow crack_t domain read /et/passwd files +Resolves: rhbz#1721132 +- Allow dhcpc_t domain to manage network manager pid files +Resolves: rhbz#1720070 + +* Mon Jun 10 2019 Lukas Vrabec - 3.14.3-9 +- Allow redis_t domain to read public sssd files +Resolves: rhbz#1718200 +- Label /usr/sbin/nft as iptables_exec_t +Resolves: rhbz#1656891 + +* Wed Jun 05 2019 Lukas Vrabec - 3.14.3-8 +- Allow sbd_t domain to read tmpfs_t symlinks +Resolves: rhbz#1715134 + +* Mon Jun 03 2019 Lukas Vrabec - 3.14.3-7 +- Allow kadmind_t domain to read home config data +Resolves: rhbz#1664983 +- Allow sbd_t domain to readwrite cgroups +Resolves: rhbz#1715134 +- Label /var/log/pacemaker/pacemaker as cluster_var_log_t +Resolves: rhbz#1712058 +- Allow certmonger_t domain to manage named cache files/dirs + +* Mon May 27 2019 Lukas Vrabec - 3.14.3-6 +- Allow kadmind_t domain to read pkcs11 module configs +Resolves: rhbz#1664983 +- Allow kadmind_t domain to read named_cache_t files +Resolves: rhbz#1703241 +- Fix bind_read_cache() interface to allow only read perms to caller domains +- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets +Resolves: rhbz#1711909 +- Allow wireshark_t domain to create fifo temp files +Resolves: rhbz#1711005 +- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t +Resolves :rhbz#1656837 +- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files +Resolves: rhbz#1648854 +- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t +Resolves:rhbz#1688671 +- Add dac_override capability to namespace_init_t domain +Resolves: rhbz#1557420 +- Label /usr/sbin/corosync-qdevice as cluster_exec_t +Resolves: rhbz#1690925 +- Label /usr/libexec/dnf-utils as debuginfo_exec_t +Resolves: rhbz#1711183 +- Allow rtkit_scheduled for sysadm +Resolves: rhbz#1703241 +- Fix find commands in Makefiles +- Allow associate all filesystem_types with fs_t +Resolves: rhbz#1614209 +- Allow init_t to manage session_dbusd_tmp_t dirs +Resolves: rhbz#1688671 +- Allow systemd_gpt_generator_t to read/write to clearance +Resolves: rhbz#1558573 +- Allow su_domain_type to getattr to /dev/gpmctl +Resolves: rhbz#1593667 + +* Fri May 17 2019 Lukas Vrabec - 3.14.3-5 +- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t +Resolves :rhbz#1656837 +- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files +Resolves: rhbz#1648854 +- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t +Resolves:rhbz#1688671 +- Add dac_override capability to namespace_init_t domain +Resolves: rhbz#1557420 +- Label /usr/sbin/corosync-qdevice as cluster_exec_t +Resolves: rhbz#1690925 +- Label /usr/libexec/dnf-utils as debuginfo_exec_t +Resolves: rhbz#1711183 +- Label /usr/bin/tshark as wireshark_exec_t +Resolves: rhbz#1710962 +- Allow rhsmcertd_t domain to read rpm cache files +Resolves: rhbz#1641648 +- Allow associate all filesystem_types with fs_t +Resolves: rhbz#1614209 +- Allow init_t to manage session_dbusd_tmp_t dirs +Resolves: rhbz#1688671 +- Allow systemd_gpt_generator_t to read/write to clearance +Resolves: rhbz#1558573 +- Allow su_domain_type to getattr to /dev/gpmctl +Resolves: rhbz#1593667 +- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users +Resolves: rhbz#1709372 + +* Thu May 02 2019 Lukas Vrabec - 3.14.3-4 +- Rebase with Fedora 30 package selinux-policy-3.14.3-34.fc30 +Resolves: rhbz#1673107 + +* Tue Apr 23 2019 Lukas Vrabec - 3.14.3-3 +- Rebase with Fedora 30 package selinux-policy-3.14.3-31.fc30 +Resolves: rhbz#1673107 + +* Tue Apr 16 2019 Lukas Vrabec - 3.14.3-2 +- Fix interface kernel_mounton_kernel_sysctl() +Resolves: rhbz#1700222 + +* Wed Apr 10 2019 Lukas Vrabec - 3.14.3-1 +- Rebase with Fedora 30 package selinux-policy-3.14.3-28.fc30 +Resolves: rhbz#1673107 * Fri Feb 22 2019 Lukas Vrabec - 3.14.1-61 - Add dac_override capability for sbd_t SELinux domain