diff --git a/.gitignore b/.gitignore index 67c68c4..dbd5186 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-8f56f63.tar.gz -SOURCES/selinux-policy-contrib-2a53cd0.tar.gz +SOURCES/selinux-policy-642155b.tar.gz +SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index e3b3eb8..7d300f0 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -0d1a0214195d9519327846c21d7ac90b7da218c1 SOURCES/container-selinux.tgz -672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz -6e84adfa8c88519a3c24f6f8426d59868bcd6050 SOURCES/selinux-policy-contrib-2a53cd0.tar.gz +e531ed72bd4055f40cb0152b1f81842c96af37c5 SOURCES/container-selinux.tgz +26b6cee1e1baf47309bfc5055781869abb589a2d SOURCES/selinux-policy-642155b.tar.gz +17a4e399dbf5dd7266a5bf3904aad633e3889351 SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index de87626..e683239 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2656,3 +2656,10 @@ rrdcached = module # stratisd # stratisd = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index ae88789..f7b074a 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66 +%global commit0 642155b226a48d3edbdc1a13fb9a9fece74140f7 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 2a53cd02bd0d06568ecc549b15321f658d00babd +%global commit1 0e4a7a0e5879fd49a239fb71e000c4967fe98eca %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -24,12 +24,12 @@ %define BUILD_MLS 1 %endif %define POLICYVER 31 -%define POLICYCOREUTILSVER 2.9 +%define POLICYCOREUTILSVER 2.9-19 %define CHECKPOLICYVER 2.9 Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 79%{?dist} +Release: 93%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -141,6 +141,7 @@ SELinux policy development and man page package %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* +%exclude %{_usr}/share/selinux/devel/include/contrib/container.if %dir %{_usr}/share/selinux/devel/html %{_usr}/share/selinux/devel/html/*html %{_usr}/share/selinux/devel/html/*css @@ -264,6 +265,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ #%{_libexecdir}/selinux/selinux-factory-reset \ #%{_unitdir}/selinux-factory-reset@.service \ #%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service \ @@ -715,6 +717,262 @@ exit 0 %endif %changelog +* Thu Feb 24 2022 Zdenek Pytela - 3.14.3-93 +- Allow systemd-networkd dbus chat with sosreport +Resolves: rhbz#1949493 +- Allow sysadm_passwd_t to relabel passwd and group files +Resolves: rhbz#2053457 +- Allow confined sysadmin to use tool vipw +Resolves: rhbz#2053457 +- Allow sosreport dbus chat with abrt and timedatex +Resolves: rhbz#1949493 +- Remove unnecessary /etc file transitions for insights-client +Resolves: rhbz#2031853 +- Label all content in /var/lib/insights with insights_client_var_lib_t +Resolves: rhbz#2031853 +- Update insights-client policy +Resolves: rhbz#2031853 +- Update insights-client: fc pattern, motd, writing to etc +Resolves: rhbz#2031853 +- Remove permissive domain for insights_client_t +Resolves: rhbz#2031853 +- New policy for insight-client +Resolves: rhbz#2031853 +- Add the insights_client module +Resolves: rhbz#2031853 +- Update specfile to buildrequire policycoreutils-devel >= 2.9-19 +- Add modules_checksum to %files + +* Wed Feb 16 2022 Zdenek Pytela - 3.14.3-92 +- Allow postfix_domain read dovecot certificates 1/2 +Resolves: rhbz#2043599 +- Dontaudit dirsrv search filesystem sysctl directories 1/2 +Resolves: rhbz#2042568 +- Allow chage domtrans to sssd +Resolves: rhbz#2054718 +- Allow postfix_domain read dovecot certificates 2/2 +Resolves: rhbz#2043599 +- Allow ctdb create cluster logs +Resolves: rhbz#2049481 +- Allow alsa bind mixer controls to led triggers +Resolves: rhbz#2049730 +- Allow alsactl set group Process ID of a process +Resolves: rhbz#2049730 +- Dontaudit mdadm list dirsrv tmpfs dirs +Resolves: rhbz#2011174 +- Dontaudit dirsrv search filesystem sysctl directories 2/2 +Resolves: rhbz#2042568 +- Revert "Label NetworkManager-dispatcher service with separate context" +Related: rhbz#1989070 +- Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager" +Related: rhbz#1989070 + +* Wed Feb 09 2022 Zdenek Pytela - 3.14.3-91 +- Allow NetworkManager-dispatcher dbus chat with NetworkManager +Resolves: rhbz#1989070 + +* Fri Feb 04 2022 Zdenek Pytela - 3.14.3-90 +- Fix badly indented used interfaces +Resolves: rhbz#2030156 +- Allow domain transition to sssd_t 1/2 +Resolves: rhbz#2022690 +- Allow confined users to use kinit,klist and etc. +Resolves: rhbz#2026598 +- Allow login_userdomain open/read/map system journal +Resolves: rhbz#2046481 +- Allow init read stratis data symlinks 2/2 +Resolves: rhbz#2048514 +- Label new utility of NetworkManager nm-priv-helper +Resolves: rhbz#1986076 +- Label NetworkManager-dispatcher service with separate context +Resolves: rhbz#1989070 +- Allow domtrans to sssd_t and role access to sssd +Resolves: rhbz#2030156 +- Creating interface sssd_run_sssd() +Resolves: rhbz#2030156 +- Allow domain transition to sssd_t 2/2 +Resolves: rhbz#2022690 +- Allow timedatex dbus chat with xdm +Resolves: rhbz#2040214 +- Associate stratisd_data_t with device filesystem +Resolves: rhbz#2048514 +- Allow init read stratis data symlinks 1/2 +Resolves: rhbz#2048514 +- Allow rhsmcertd create rpm hawkey logs with correct label +Resolves: rhbz#1949871 + +* Wed Jan 26 2022 Zdenek Pytela - 3.14.3-89 +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2044048 +- Allow system_mail_t read inherited apache system content rw files +Resolves: rhbz#1988339 +- Add apache_read_inherited_sys_content_rw_files() interface +Related: rhbz#1988339 +- Allow rhsm-service execute its private memfd: objects +Resolves: rhbz#2029873 +- Allow dirsrv read configfs files and directories +Resolves: rhbz#2042568 +- Label /run/stratisd with stratisd_var_run_t +Resolves: rhbz#1879585 +- Fix path for excluding container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Thu Jan 20 2022 Zdenek Pytela - 3.14.3-88 +- Revert "Label /etc/cockpit/ws-certs.d with cert_t" +Related: rhbz#1907473 + +* Tue Jan 18 2022 Zdenek Pytela - 3.14.3-87 +- Set default file context for /sys/firmware/efi/efivars +Resolves: rhbz#2039458 +- Allow sysadm_t start and stop transient services +Resolves: rhbz#2031065 +- Label /etc/cockpit/ws-certs.d with cert_t +Resolves: rhbz#1907473 +- Allow smbcontrol read the network state information +Resolves: rhbz#2033873 +- Allow rhsm-service read/write its private memfd: objects +Resolves: rhbz#2029873 +- Allow fcoemon request the kernel to load a module +Resolves: rhbz#1940317 +- Allow radiusd connect to the radacct port +Resolves: rhbz#2038955 +- Label /var/lib/shorewall6-lite with shorewall_var_lib_t +Resolves: rhbz#2041447 +- Exclude container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Mon Jan 03 2022 Zdenek Pytela - 3.14.3-86 +- Allow sysadm execute sysadmctl in sysadm_t domain using sudo +Resolves: rhbz#2013749 +- Allow local_login_t get attributes of tmpfs filesystems +Resolves: rhbz#2015539 +- Allow local_login_t get attributes of filesystems with ext attributes +Resolves: rhbz#2015539 +- Allow local_login_t domain to getattr cgroup filesystem +Resolves: rhbz#2015539 +- Allow systemd read unlabeled symbolic links +Resolves: rhbz#2021835 +- Allow userdomains use pam_ssh_agent_auth for passwordless sudo +Resolves: rhbz#1917879 +- Allow sudodomains execute passwd in the passwd domain +Resolves: rhbz#1943572 +- Label authcompat.py with authconfig_exec_t +Resolves: rhbz#1919122 +- Dontaudit pkcsslotd sys_admin capability +Resolves: rhbz#2021887 +- Allow lldpd connect to snmpd with a unix domain stream socket +Resolves: rhbz#1991029 + +* Tue Dec 07 2021 Zdenek Pytela - 3.14.3-85 +- Allow unconfined_t to node_bind icmp_sockets in node_t domain +Resolves: rhbz#2025445 +- Allow rhsmcertd get attributes of tmpfs_t filesystems +Resolves: rhbz#2015820 +- The nfsdcld service is now confined by SELinux +Resolves: rhbz#2026588 +- Allow smbcontrol use additional socket types +Resolves: rhbz#2027740 +- Allow lldpd use an snmp subagent over a tcp socket +Resolves: rhbz#2028379 + +* Wed Nov 24 2021 Zdenek Pytela - 3.14.3-84 +- Allow sysadm_t read/write pkcs shared memory segments +Resolves: rhbz#1965251 +- Allow sysadm_t connect to sanlock over a unix stream socket +Resolves: rhbz#1965251 +- Allow sysadm_t dbus chat with sssd +Resolves: rhbz#1965251 +- Allow sysadm_t set attributes on character device nodes +Resolves: rhbz#1965251 +- Allow sysadm_t read and write watchdog devices +Resolves: rhbz#1965251 +- Allow sysadm_t connect to cluster domains over a unix stream socket +Resolves: rhbz#1965251 +- Allow sysadm_t dbus chat with tuned 2/2 +Resolves: rhbz#1965251 +- Update userdom_exec_user_tmp_files() with an entrypoint rule +Resolves: rhbz#1920883 +- Allow sudodomain send a null signal to sshd processes +Resolves: rhbz#1966945 +- Allow sysadm_t dbus chat with tuned 1/2 +Resolves: rhbz#1965251 +- Allow cloud-init dbus chat with systemd-logind +Resolves: rhbz#2009769 +- Allow svnserve send mail from the system +Resolves: rhbz#2004843 +- Allow svnserve_t domain to read system state +Resolves: rhbz#2004843 + +* Tue Nov 09 2021 Zdenek Pytela - 3.14.3-83 +- VQP: Include IANA-assigned TCP/1589 +Resolves: rhbz#1924038 +- Label port 3785/udp with bfd_echo +Resolves: rhbz#1924038 +- Allow sysadm_t dbus chat with realmd_t +Resolves: rhbz#2000488 +- Support sanlock VG automated recovery on storage access loss 1/2 +Resolves: rhbz#1985000 +- Revert "Support sanlock VG automated recovery on storage access loss" +Resolves: rhbz#1985000 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- radius: Lexical sort of service-specific corenet rules by service name +Resolves: rhbz#1924038 +- radius: Allow binding to the BDF Control and Echo ports +Resolves: rhbz#1924038 +- radius: Allow binding to the DHCP client port +Resolves: rhbz#1924038 +- radius: Allow net_raw; allow binding to the DHCP server ports +Resolves: rhbz#1924038 +- Support hitless reloads feature in haproxy +Resolves: rhbz#2015423 +- Allow redis get attributes of filesystems with extended attributes +Resolves: rhbz#2015435 +- Support sanlock VG automated recovery on storage access loss 2/2 +Resolves: rhbz#1985000 +- Revert "Support sanlock VG automated recovery on storage access loss" +Resolves: rhbz#1985000 + +* Wed Oct 20 2021 Zdenek Pytela - 3.14.3-82 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- Allow proper function sosreport in sysadmin role +Resolves: rhbz#1965251 +- Allow systemd execute user bin files +Resolves: rhbz#1860443 +- Label /dev/crypto/nx-gzip with accelerator_device_t +Resolves: rhbz#2011166 +- Allow ipsec_t and login_userdomain named file transition in tmpfs +Resolves: rhbz#2001599 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- Allow proper function sosreport via iotop +Resolves: rhbz#1965251 +- Call pkcs_tmpfs_named_filetrans for certmonger +Resolves: rhbz#2001599 +- Allow ibacm the net_raw and sys_rawio capabilities +Resolves: rhbz#2010644 +- Support new PING_CHECK health checker in keepalived +Resolves: rhbz#2010873 +- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script +Resolves: rhbz#2011239 + +* Mon Oct 04 2021 Zdenek Pytela - 3.14.3-81 +- Allow unconfined domains to bpf all other domains +Resolves: rhbz#1991443 +- Allow vmtools_unconfined_t domain transition to rpm_script_t +Resolves: rhbz#1872245 +- Allow unbound connectto unix_stream_socket +Resolves: rhbz#1905441 +- Label /usr/sbin/virtproxyd as virtd_exec_t +Resolves: rhbz#1854332 +- Allow postfix_domain to sendto unix dgram sockets. +Resolves: rhbz#1920521 + +* Thu Sep 16 2021 Zdenek Pytela - 3.14.3-80 +- Allow rhsmcertd_t dbus chat with anaconda install_t +Resolves: rhbz#2004990 + * Fri Aug 27 2021 Zdenek Pytela - 3.14.3-79 - Introduce xdm_manage_bootloader booelan Resolves: rhbz#1994096