diff --git a/.gitignore b/.gitignore index 464dd8c8..5a987858 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ container-selinux.tgz -selinux-policy-061ed78.tar.gz +selinux-policy-9e50303.tar.gz diff --git a/binsbin-convert.sh b/binsbin-convert.sh new file mode 100755 index 00000000..6f6b5289 --- /dev/null +++ b/binsbin-convert.sh @@ -0,0 +1,90 @@ +#!/usr/bin/bash +### binsbin-convert.sh +### convert legacy filecontext entries containing /usr/sbin to /usr/bin +### and load an extra selinux module with the new content +### the script takes a policy name as an argument + +# Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file +if [ "${DEBUG}" = "yes" ]; then + set -x +fi + +# Auxiliary and log files will be created in OUTPUTDIR +OUTPUTDIR="/run/selinux-policy" +LOG="$OUTPUTDIR/binsbin-log" +mkdir -p ${OUTPUTDIR} + +if [ -z ${1} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG + exit +fi + +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators +FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" +if [ ! -f ${FILE_CONTEXTS} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG + exit +fi + +if ! grep -q ^/usr/sbin ${FILE_CONTEXTS}; then + [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /usr/sbin" >> $LOG + exit +fi + +EXTRA_BINSBIN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_binsbin_entries_dup.txt" +EXTRA_BINSBIN_ENTRIES="$OUTPUTDIR/extra_binsbin_entries.txt" +EXTRA_BINSBIN_CIL="$OUTPUTDIR/extra_binsbin.cil" + +# Print only /usr/sbin entries +grep ^/usr/sbin ${FILE_CONTEXTS} > ${EXTRA_BINSBIN_ENTRIES_WITHDUP} + +# Unify whitespace separators +sed -i 's/[ \t]\+/ /g' ${EXTRA_BINSBIN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +# Deduplicate already existing /usr/bin=/usr/sbin entries +while read line +do + subline="/usr/bin/${line#/usr/sbin/}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + echo "$line" + fi +done < ${EXTRA_BINSBIN_ENTRIES_WITHDUP} > ${EXTRA_BINSBIN_ENTRIES} + +# Change /usr/sbin to /usr/bin +sed -i 's|^/usr/sbin|/usr/bin|' ${EXTRA_BINSBIN_ENTRIES} + +# Change format to cil +sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_BINSBIN_ENTRIES} +sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_BINSBIN_ENTRIES} + +# Handle entries with <> which do not match previous regexps +sed -i s'/ <>$/ ())/' ${EXTRA_BINSBIN_ENTRIES} + +# Wrap each line with an optional block +i=1 +while read line +do + echo "(optional extra_binsbin_${i}" + echo " $line" + echo ")" + ((i++)) +done < ${EXTRA_BINSBIN_ENTRIES} > ${EXTRA_BINSBIN_CIL} + +# Load module +[ -s ${EXTRA_BINSBIN_CIL} ] && +/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_BINSBIN_CIL} + diff --git a/modules-automotive.lst b/modules-automotive.lst new file mode 100644 index 00000000..20585b66 --- /dev/null +++ b/modules-automotive.lst @@ -0,0 +1,74 @@ +anaconda +apache +application +auditadm +authlogin +base +bluetooth +bootloader +chronyd +clock +cpucontrol +daemontools +dbus +dhcp +dmesg +fstools +fwupd +games +getty +gnome +gpg +hostname +init +ipsec +iptables +journalctl +kerberos +ldap +libraries +loadkeys +locallogin +logadm +logging +lpd +lvm +mandb +miscfiles +modutils +mount +mta +namespace +netlabel +netutils +networkmanager +nis +oddjob +pesign +postgresql +rdisc +rpc +rpm +secadm +selinuxutil +setrans +seunshare +ssh +sssd +stalld +su +sudo +sysadm +sysadm_secadm +sysnetwork +systemd +udev +unconfined +unconfineduser +unlabelednet +userdomain +userhelper +usermanage +virt +vlock +xserver diff --git a/modules-dropped.lst b/modules-dropped.lst new file mode 100644 index 00000000..484906ba --- /dev/null +++ b/modules-dropped.lst @@ -0,0 +1,4 @@ +mailman +mongodb +ntp +prelude diff --git a/modules-filtered.lst b/modules-extra.lst similarity index 87% rename from modules-filtered.lst rename to modules-extra.lst index 659c892f..34782b22 100644 --- a/modules-filtered.lst +++ b/modules-extra.lst @@ -1,5 +1,3 @@ -aiccu -amtu antivirus apcupsd arpwatch @@ -22,32 +20,26 @@ exim fail2ban gdomap hddtemp -ktls l2tp -linuxptp lircd livecd lttng-tools -mailman man2html milter minidlna mock -mongodb mplayer munin nagios nsd nslcd -ntp nut -openct openfortivpn openvpn pdns pingd postgrey -prelude +powerprofiles privoxy prosody puppet @@ -57,6 +49,7 @@ rkhunter rlogin rshd smokeping +systemd-homed tcpd tcsd tlp diff --git a/process-modules-filtered.py b/process-modules-filtered.py new file mode 100755 index 00000000..dbfefe4f --- /dev/null +++ b/process-modules-filtered.py @@ -0,0 +1,40 @@ +#!/usr/bin/python3 +"""read modules-filtered.lst and update modules.conf + +Usage: + # enable only modules listed in the modules-filtered.lst file + ./process-modules-filtered.py ../../modules-filtered.lst dist/targeted/modules.conf enabled > policy/modules.conf + + # disable modules listed in the modules-filtered.lst file + ./process-modules-filtered.py ../../modules-filtered.lst dist/targeted/modules.conf disabled > policy/modules.conf + +""" + +import sys + +modules = [] +for line in open(sys.argv[1]): + if line[0] != "#": + modules.append(line.strip()) + + +for line in open(sys.argv[2]): + if len(line) == 1 or line[0] == "#": + print(line, end='') + continue + + (name, sep, state) = line.partition(" = ") + + if state.rstrip() == "base": + print(line, end='') + continue + + if not name in modules and sys.argv[3] == "enabled": + print(name, " = off", sep='') + continue + + if name in modules and sys.argv[3] == "disabled": + print(name, " = off", sep='') + continue + + print(line, end='') diff --git a/rpm.macros b/rpm.macros index 643cbb89..d341f679 100644 --- a/rpm.macros +++ b/rpm.macros @@ -18,7 +18,10 @@ # RPM macros for packages installing SELinux modules +# Latest version of selinux-policy %_selinux_policy_version SELINUXPOLICYVERSION +# Updated after major policy changes +%_selinux_policy_stable_version SELINUXPOLICYSTABLE %_selinux_store_path SELINUXSTOREPATH %_selinux_store_policy_path %{_selinux_store_path}/${_policytype} @@ -31,11 +34,12 @@ # %selinux_requires_min - minimal required set of packages for deploying a policy module %selinux_requires_min \ -Requires: selinux-policy >= %{_selinux_policy_version} \ +Requires: selinux-policy >= %{_selinux_policy_stable_version} \ +Recommends: selinux-policy >= %{_selinux_policy_version} \ BuildRequires: pkgconfig(systemd) \ BuildRequires: selinux-policy \ BuildRequires: selinux-policy-devel \ -Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ +Requires(post): selinux-policy-base >= %{_selinux_policy_stable_version} \ Requires(post): libselinux-utils \ Requires(post): policycoreutils \ %{nil} diff --git a/selinux-policy.spec b/selinux-policy.spec index 0bc9e772..bb58e98a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -4,26 +4,29 @@ ## END: Set by rpmautospec # Conditionals for policy types (all built by default) -%bcond targeted 1 -%bcond minimum 1 -%bcond mls 1 +%bcond targeted 1 +%bcond minimum 1 +%bcond mls 1 +%bcond automotive 1 # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 061ed78f650a71a7f47e9a9dcc20e0880e108346 +%global commit 9e503038e5c4189afadd88d66cd63ae8c54e0064 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat %define polyinstatiate n %define monolithic n -%define POLICYVER 34 -%define POLICYCOREUTILSVER 3.8 -%define CHECKPOLICYVER 3.8 +%define POLICYVER 35 +%define POLICYCOREUTILSVER 3.10 +%define CHECKPOLICYVER 3.10 +# To be updated after major policy changes +%define STABLEVER 42.1.18 Summary: SELinux policy configuration Name: selinux-policy -Version: 40.13.26 -Release: 1%{?dist} +Version: 42.1.18 +Release: 4%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: Makefile.devel @@ -38,9 +41,13 @@ Source3: macro-expander Source4: container-selinux.tgz # do not ship these modules -Source15: modules-filtered.lst +Source13: process-modules-filtered.py +Source14: modules-extra.lst +Source15: modules-dropped.lst + # modules enabled in -minimum policy Source16: modules-minimum.lst +Source17: modules-automotive.lst Source36: selinux-check-proper-disable.service @@ -49,6 +56,8 @@ Source37: varrun-convert.sh # Configuration files to dnf-protect targeted and/or mls subpackages Source38: selinux-policy-targeted.conf Source39: selinux-policy-mls.conf +# Script to convert /usr/sbin file context entries to /usr/bin +Source40: binsbin-convert.sh # Provide rpm macros for packages installing SELinux modules Source5: rpm.macros @@ -64,6 +73,7 @@ Requires(post): /bin/awk /usr/bin/sha512sum Requires(meta): (rpm-plugin-selinux if rpm-libs) Requires: selinux-policy-any = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} +Provides: selinux-policy-stable = %{STABLEVER} Suggests: selinux-policy-targeted %description @@ -82,8 +92,21 @@ the policy has been adjusted to provide support for Fedora. %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %{_unitdir}/selinux-check-proper-disable.service +%{_libexecdir}/selinux/binsbin-convert.sh %{_libexecdir}/selinux/varrun-convert.sh +%package extra +Summary: SELinux policy - extra modules +Requires: (selinux-policy-targeted-extra if selinux-policy-targeted) +Requires: (selinux-policy-mls-extra if selinux-policy-mls) +Provides: selinux-policy-epel = %{version}-%{release} +Obsoletes: selinux-policy-epel < 40.13.31-2 + +%description extra +SELinux policy - extra modules + +%files extra + %package sandbox Summary: SELinux sandbox policy Requires(pre): selinux-policy-base = %{version}-%{release} @@ -170,7 +193,8 @@ install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ install -p -m0644 ./dist/%1/users ./policy/users \ %define makeModulesConf() \ -install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ +# install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ +%{SOURCE13} %{SOURCE15} ./dist/%1/modules.conf disabled > ./policy/modules.conf \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ @@ -259,6 +283,9 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/cil \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/lang_ext \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \ @@ -328,8 +355,10 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/m %define nonBaseModulesList() \ modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ for i in $modules; do \ - if [ $i != "sandbox" ] && ! grep -E "^$i$" %{SOURCE15}; then \ + if [ $i != "sandbox" ] && ! grep -E "^$i$" %{SOURCE14}; then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + elif grep -E "^$i$" %{SOURCE14}; then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/modules-extra.lst \ else \ rm -rf %{buildroot}%{_sharedstatedir}/selinux/{targeted,minimum,mls}/active/modules/100/$i \ fi \ @@ -395,6 +424,12 @@ if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/ os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ end +# Remove the local_binsbin SELinux module +%define removeBinsbinModuleLua() \ +if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/cil", "r") then \ + os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin") \ +end + %build %prep @@ -414,10 +449,11 @@ mkdir -p %{buildroot}%{_bindir} install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux install -p -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux +install -p -m 755 %{SOURCE40} %{buildroot}%{_libexecdir}/selinux # Always create policy module package directories -mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,automotive,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,automotive,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages @@ -446,6 +482,8 @@ install -p -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/ # Build minimum policy %makeCmds minimum mcs allow %makeModulesConf targeted +mv ./policy/modules.conf ./policy/modules.conf.dropped +%{SOURCE13} %{SOURCE14} ./policy/modules.conf.dropped disabled > ./policy/modules.conf %installCmds minimum mcs allow rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst @@ -463,8 +501,21 @@ install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-en install -p -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif +%if %{with automotive} +# Build automotive policy +%makeCmds automotive mcs deny +%makeModulesConf targeted +mv ./policy/modules.conf ./policy/modules.conf.dropped +%{SOURCE13} %{SOURCE14} ./policy/modules.conf.dropped disabled > ./policy/modules.conf +%installCmds automotive mcs deny +rm -rf %{buildroot}%{_sharedstatedir}/selinux/automotive/active/modules/100/sandbox +install -p -m 644 %{SOURCE17} %{buildroot}%{_datadir}/selinux/automotive/modules-enabled.lst +%modulesList automotive +%nonBaseModulesList automotive +%endif + # remove leftovers when save-previous=true (semanage.conf) is used -rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls,automotive}/previous make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers @@ -481,6 +532,7 @@ mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/de mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -p -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYSTABLE/%{STABLEVER}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} @@ -567,6 +619,7 @@ SELinux targeted policy package. %pretrans targeted -p %backupConfigLua %removeVarrunModuleLua targeted +%removeBinsbinModuleLua targeted %pre targeted %preInstall targeted @@ -577,9 +630,11 @@ exit 0 %posttrans targeted %checkConfigConsistency targeted -%{_libexecdir}/selinux/varrun-convert.sh targeted %postInstall $1 targeted +%{_libexecdir}/selinux/varrun-convert.sh targeted +%{_libexecdir}/selinux/binsbin-convert.sh targeted %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm /etc/mdevctl.d +%{_sbindir}/restorecon -Ri /usr/sbin /var/run %postun targeted if [ $1 = 0 ]; then @@ -602,26 +657,116 @@ exit 0 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null exit 0 +%triggerin -- grafana +%{_libexecdir}/selinux/binsbin-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/sbin + +%triggerin -- linuxptp +%{_libexecdir}/selinux/binsbin-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/sbin + +%triggerin -- openwsman-server +%{_libexecdir}/selinux/binsbin-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/sbin + +%triggerin -- smartmontools +%{_libexecdir}/selinux/binsbin-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/sbin + +%triggerin -- usbguard +%{_libexecdir}/selinux/binsbin-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/sbin + %triggerprein -p -- container-selinux %removeVarrunModuleLua targeted %triggerprein -p -- pcp-selinux %removeVarrunModuleLua targeted -%triggerpostun -- pcp-selinux -%{_libexecdir}/selinux/varrun-convert.sh targeted +%triggerprein -p -- fapolicyd-selinux +%removeBinsbinModuleLua targeted + +%triggerprein -p -- grafana-selinux +%removeBinsbinModuleLua targeted + +%triggerprein -p -- linuxptp-selinux +%removeBinsbinModuleLua targeted + +%triggerprein -p -- openwsman-selinux +%removeBinsbinModuleLua targeted + +%triggerprein -p -- smartmontools-selinux +%removeBinsbinModuleLua targeted + +%triggerprein -p -- usbguard-selinux +%removeBinsbinModuleLua targeted + +%triggerpostun -- selinux-policy-targeted < 3.12.1-74 +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null exit 0 %triggerpostun -- container-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 +%triggerpostun -- grafana-selinux +%{_libexecdir}/selinux/binsbin-convert.sh targeted +exit 0 + +%triggerpostun -- linuxptp-selinux +%{_libexecdir}/selinux/binsbin-convert.sh targeted +exit 0 + +%triggerpostun -- openwsman-selinux +%{_libexecdir}/selinux/binsbin-convert.sh targeted +exit 0 + +%triggerpostun -- smartmontools-selinux +%{_libexecdir}/selinux/binsbin-convert.sh targeted +exit 0 + +%triggerpostun -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun -- usbguard-selinux +%{_libexecdir}/selinux/binsbin-convert.sh targeted +exit 0 + %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains + +%package targeted-extra +Summary: SELinux targeted policy - extra modules +Requires: selinux-policy-targeted = %{version}-%{release} +Provides: selinux-policy-epel-targeted = %{version}-%{release} +Obsoletes: selinux-policy-epel-targeted < 40.13.31-2 + +%description targeted-extra +SELinux targeted policy package - extra modules + +%pre targeted-extra +%preInstall targeted + +%posttrans targeted-extra +%postInstall $1 targeted + +%preun targeted-extra +if [ $1 -eq 0 ]; then + %preInstall targeted +fi + +%postun targeted-extra +if [ $1 -eq 0 ]; then + %postInstall 0 targeted +fi + +%files targeted-extra -f %{buildroot}%{_datadir}/selinux/targeted/modules-extra.lst +%{_datadir}/selinux/targeted/modules-extra.lst %endif %if %{with minimum} @@ -640,6 +785,8 @@ SELinux minimum policy package. %pretrans minimum -p %backupConfigLua +%removeVarrunModuleLua minimum +%removeBinsbinModuleLua minimum %pre minimum %preInstall minimum @@ -684,6 +831,7 @@ exit 0 %posttrans minimum %checkConfigConsistency minimum %{_libexecdir}/selinux/varrun-convert.sh minimum +%{_libexecdir}/selinux/binsbin-convert.sh minimum %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun minimum @@ -709,6 +857,90 @@ exit 0 %{_datadir}/selinux/minimum/modules-enabled.lst %endif +%if %{with automotive} +%package automotive +Summary: SELinux automotive policy +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description automotive +SELinux automotive policy package. + +%pretrans automotive -p +%backupConfigLua +%removeVarrunModuleLua automotive +%removeBinsbinModuleLua automotive + +%pre automotive +%preInstall automotive +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s automotive --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/automotive/instmodules.lst +fi + +%post automotive +%checkConfigConsistency automotive +modules=`cat %{_datadir}/selinux/automotive/modules.lst` +basemodules=`cat %{_datadir}/selinux/automotive/base.lst` +enabledmodules=`cat %{_datadir}/selinux/automotive/modules-enabled.lst` +if [ ! -d %{_sharedstatedir}/selinux/automotive/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/automotive/active/modules/disabled +fi +if [ $1 -eq 1 ]; then +for p in $modules; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $basemodules $enabledmodules; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null +%{_sbindir}/semodule -B -s automotive 2> /dev/null +else +instpackages=`cat %{_datadir}/selinux/automotive/instmodules.lst` +for p in $modules; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $instpackages; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/semodule -B -s automotive 2> /dev/null +%relabel automotive +fi +exit 0 + +%posttrans automotive +%checkConfigConsistency automotive +%{_libexecdir}/selinux/varrun-convert.sh automotive +%{_libexecdir}/selinux/binsbin-convert.sh automotive +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm + +%postun automotive +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "automotive" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%files automotive -f %{buildroot}%{_datadir}/selinux/automotive/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/sysadm_u +%fileList automotive +%{_datadir}/selinux/automotive/modules-enabled.lst +%endif + %if %{with mls} %package mls Summary: SELinux MLS policy @@ -727,6 +959,8 @@ SELinux MLS (Multi Level Security) policy package. %pretrans mls -p %backupConfigLua +%removeVarrunModuleLua mls +%removeBinsbinModuleLua mls %pre mls %preInstall mls @@ -737,9 +971,11 @@ exit 0 %posttrans mls %checkConfigConsistency mls -%{_libexecdir}/selinux/varrun-convert.sh mls %postInstall $1 mls +%{_libexecdir}/selinux/varrun-convert.sh mls +%{_libexecdir}/selinux/binsbin-convert.sh mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm +%{_sbindir}/restorecon -Ri /usr/sbin /var/run %postun mls if [ $1 = 0 ]; then @@ -761,10 +997,487 @@ exit 0 %config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls + +%package mls-extra +Summary: SELinux mls policy - extra modules +Requires: selinux-policy-mls = %{version}-%{release} +Provides: selinux-policy-epel-mls = %{version}-%{release} +Obsoletes: selinux-policy-epel-mls < 40.13.31-2 + +%description mls-extra +SELinux mls policy package - extra modules + +%pre mls-extra +%preInstall mls + +%posttrans mls-extra +%postInstall $1 mls + +%preun mls-extra +if [ $1 -eq 0 ]; then + %preInstall mls +fi + +%postun mls-extra +if [ $1 -eq 0 ]; then + %postInstall 0 mls +fi + +%files mls-extra -f %{buildroot}%{_datadir}/selinux/mls/modules-extra.lst +%{_datadir}/selinux/mls/modules-extra.lst %endif %changelog ## START: Generated by rpmautospec +* Tue Mar 10 2026 Vit Mojzis - 42.1.18.4 +- Rebuild because of a missing target tag +Resolves: RHEL-152308 + +* Fri Feb 27 2026 Vit Mojzis - 42.1.18-2 +- Rebuild for SELinux userspace 3.10 + +* Mon Feb 23 2026 Zdenek Pytela - 42.1.18-1 +- Allow NetworkManager list bpf directories +Resolves: RHEL-142171 +- Dontaudit systemd-generator connect to sssd over a unix stream socket +Resolves: RHEL-114886 +- Allow pkcsslotd read files in /proc and /sys +Resolves: RHEL-130812 +- Allow pkcsslotd map its private tmpfs files +Resolves: RHEL-130812 +- Allow tlshd communication to unconfined_t over a tcp socket +Resolves: RHEL-125106 +- Label /run/insights-client.ppid with insights_client_run_t +Resolves: RHEL-146687 +- Allow NM nvme dispatcher script start systemd services +Resolves: RHEL-140760 +- Allow tlshd write generic certificate dirs +Resolves: RHEL-127023 +- Allow aide get attributes of tmpfs and devtmpfs filesystems +Resolves: RHEL-121479 +- Allow plasma login manager stop login services +Resolves: RHEL-140911 +- Rebuild selinux policy after installation of the extra package +Resolves: RHEL-135875 +Resolves: RHEL-143926 +- Move triggerin scriptlets to the parent packages +Resolves: RHEL-141813 +- Rebuild policy before running {binsbin|varrun}-convert.sh +Resolves: RHEL-141813 + +* Wed Feb 18 2026 Veronika Syncakova - 42.1.17-2 +- Rebuild selinux policy after installation of the extra package +Resolves: RHEL-135875 + +* Fri Feb 13 2026 Zdenek Pytela - 42.1.17-1 +- Allow rhsmcertd read anaconda run files +Resolves: RHEL-141391 +- Allow mdadm to use CAP_BPF during RAID monitoring +Resolves: RHEL-135765 +- Allow mdadm the CAP_SYS_PTRACE capability +Resolves: RHEL-135765 +- Allow staff and sysadm execute iotop using sudo +Resolves: RHEL-134940 +- Allow kernel_t to read/write all domains' pipes +Resolves: RHEL-124442 +- Allow nfsd_t domain setuid and setgid capability for rpc.mountd +Resolves: RHEL-148107 + +* Fri Feb 06 2026 Zdenek Pytela - 42.1.16-1 +- Allow sshd-session inherit limits from its parent sshd process +Resolves: RHEL-136673 +- Revert "Allow sshd-session inherit limits from its parent process" +Resolves: RHEL-136673 +- Allow tlshd write generic certificates +Resolves: RHEL-123737 +- Allow systemd-hostnamed to create its Varlink socket +Resolves: RHEL-139385 +- Update gpg_role() interface with unix_stream_socket permissions +Resolves: RHEL-128555 +- Label /etc/aliases.cdb with etc_aliases_t +Resolves: RHEL-109976 +- Add aliases.lmdb to mta_filetrans_named_content() +Resolves: RHEL-140884 +- Update policy for bootupd +Resolves: RHEL-141391 + +* Tue Jan 27 2026 Vit Mojzis - 42.1.15-2 +- Macros: Require only "stable" version of selinux-policy (RHEL-141423) + +* Mon Jan 26 2026 Zdenek Pytela - 42.1.15-1 +- Allow hostapd write to socket files in /tmp +Resolves: RHEL-77047 +- Allow stap server read virtual memory sysctls +Resolves: RHEL-114104 +- Allow sshd-session inherit limits from its parent process +Resolves: RHEL-136673 +- Allow sshd noatsecure on sshd-session execution +Resolves: RHEL-138247 +- Allow sshd-net read and write to sshd vsock socket +Related: RHEL-138247 + +* Fri Jan 09 2026 Zdenek Pytela - 42.1.14-1 +- Update ktls policy +Resolves: RHEL-123737 +- Update policy for redfish-finder +Resolves: RHEL-50299 +- Allow sshd-session read, write, and map ica tmpfs files +Resolves: RHEL-138247 +- Allow sshd_net_t ioctl on unix_stream_socket of sshd_session_t +Resolves: RHEL-127721 +- Allow stalld map sysfs files +Resolves: RHEL-135512 +- Allow aide get attributes of a filesystem with extended attributes +Resolves: RHEL-121479 +- Label miscellaneous /dev/papr-* devices +Resolves: RHEL-129839 +- Allow KDE Plasma Login Manager to function as a display manager +Resolves: RHEL-135676 +- Update specfile trigger for openwsmand +Resolves: RHEL-133024 + +* Thu Dec 11 2025 Zdenek Pytela - 42.1.13-1 +- Add the rpm_signal() interface +Related: RHEL-107589 +- Allow tuned_t use its private tmpfs files +Related: RHEL-107589 +- Allow samba-bgqd send to smbd over a unix datagram socket +Resolves: RHEL-93731 +- Allow kdump search kdumpctl_tmp_t directories +Resolves: RHEL-116041 +- Confine redfish_finder - host api discovery service +Resolves: RHEL-50299 +- Update policy for dhcpc_hook_t +Resolves: RHEL-113937 +- Label /usr/libexec/dhcpcd-run-hooks with dhcpc_hook_exec_t +Resolves: RHEL-113937 +- Allow systemd to map files under /sys +Resolves: RHEL-132638 + +* Wed Nov 26 2025 Zdenek Pytela - 42.1.12-1 +- Update kernel_secretmem_use() +Resolves: RHEL-116154 +- Allow system_mail_t read apache system content conditionally +Resolves: RHEL-114970 +- Allow create kerberos files in postgresql db home +Resolves: RHEL-119619 +- Update specfile trigger for smartmontools +Resolves: RHEL-113167 + +* Tue Nov 11 2025 Zdenek Pytela - 42.1.11-1 +- Allow iotop stream connect to systemd-userdbd +Resolves: RHEL-105481 +- Allow insights-client manage /etc symlinks +Resolves: RHEL-107589 +- Allow insights-client get attributes of the rpm executable +Resolves: RHEL-124855 +- Allow nfsidmapd search virt lib directories +Resolves: RHEL-68722 +- Allow kdump search kdumpctl_tmp_t directories +Resolves: RHEL-116041 + +* Mon Oct 27 2025 Zdenek Pytela - 42.1.10-1 +- Allow sshd-auth read generic proc files +Resolves: RHEL-107732 +- Allow sshd-auth read and write user domain ptys +Resolves: RHEL-107732 +- Allow sshd-session get attributes of sshd vsock socket +Resolves: RHEL-107732 +- Adjust guest and xguest users policy for sshd-session +Resolves: RHEL-107732 +- Update files_search_base_file_types() +Resolves: RHEL-107732 +- Allow sshd-session read cockpit pid files +Resolves: RHEL-107732 +- Add default contexts for sshd-seesion +Resolves: RHEL-107732 +- Define types for new openssh executables +Resolves: RHEL-107732 +- Allow ras-mc-ctl get attributes of the kmod executable +Resolves: RHEL-102535 +- Define file equivalency for /var/opt +Resolves: RHEL-116512 +- Update specfile triggers for DSP modules +Resolves: RHEL-116044 + +* Wed Oct 08 2025 Zdenek Pytela - 42.1.9-1 +- Allow systemd-oomd watch tmpfs dirs +Resolves: RHEL-106998 +- Allow systemd-oomd watch dbus pid sock files +Resolves: RHEL-106998 +- Allow userdomain to connect to systemd-oomd over a unix socket +Resolves: RHEL-106998 +- Allow 'oomctl dump' to interact with systemd-oomd +Resolves: RHEL-106998 +- Basic functionality for systemd-oomd +Resolves: RHEL-106998 +- Basic enablement for systemd-oomd +Resolves: RHEL-106998 +- Remove permissive domains +Resolves: RHEL-107038 +- Allow iptables manage its private fifo_files in /tmp +Resolves: RHEL-83775 +- Allow ras-mc-ctl write to sysfs files +Resolves: RHEL-86926 +- Allow nfs generator create and use netlink sockets +Resolves: RHEL-111556 +- Revert "Allow virt_domain write to virt_image_t files" +Resolves: RHEL-93773 + +* Fri Sep 19 2025 Zdenek Pytela - 42.1.8-1 +- Reapply "Add insights_core interfaces" +Resolves: RHEL-112368 +- Reapply "Add policy for insights-core" +Resolves: RHEL-112368 + +* Thu Aug 21 2025 Zdenek Pytela - 42.1.7-1 +- Revert "Add policy for insights-core" +Resolves: RHEL-110651 +- Revert "Add insights_core interfaces" +Resolves: RHEL-110651 + +* Wed Aug 13 2025 Vit Mojzis - 42.1.6-2 +- Add selinux-policy-automotive sub-package (RHEL-105410) + +* Tue Aug 12 2025 Zdenek Pytela - 42.1.6-1 +- Apply generator template to selinux-autorelabel generator +Resolves: RHEL-107516 +- Allow systemd-coredumpd capabilities in the user namespace +Resolves: RHEL-97586 +- Allow virtqemud start a vm which uses nbdkit +Resolves: RHEL-69118 +- Add nbdkit_signal() and nbdkit_signull() interfaces +Resolves: RHEL-69118 +- Allow openvswitch read virtqemud process state +Resolves: RHEL-65322 +- Add binsbin-convert.sh script +Resolves: RHEL-69118 + +* Fri Aug 08 2025 Zdenek Pytela - 42.1.5-1 +- Confine nfs-server generator +Resolves: RHEL-106119 +- Support virtqemud handle hotplug hostdev devices +Resolves: RHEL-65266 +- Allow virtstoraged create qemu /var/run files +Resolves: RHEL-104344 +- Allow virtqemud write to sysfs files +Resolves: RHEL-104378 +- Allow unconfined_domain_type cap2_userns capabilities +Resolves: RHEL-93656 + +* Thu Jul 31 2025 Zdenek Pytela - 42.1.4-1 +- Allow systemd-coredump the sys_chroot capability +Resolves: RHEL-97586 +- Add the rhcd_rw_fifo_files() interface +Related: RHEL-99318 +- Add insights_client_delete_lib_dirs() interface +Related: RHEL-99318 + +* Wed Jul 23 2025 Vit Mojzis - 42.1.3-2 +- Rebuild for SELinux userspace 3.9 + +* Fri Jul 18 2025 Zdenek Pytela - 42.1.3-1 +- Allow svirt read virtqemud fifo files +Resolves: RHEL-104069 +- Allow virtqemud handle virt_content_t chr files +Resolves: RHEL-76104 +- Allow "hostapd_cli ping" run as a systemd service +Resolves: RHEL-77047 +- All sblim-sfcbd the dac_read_search capability +Resolves: RHEL-98287 +- Allow sblim domain read systemd session files +Resolves: RHEL-98287 +- Allow sblim-sfcbd execute dnsdomainname +Resolves: RHEL-98287 +- Allow systemd-importd create and unlink init pid socket +Resolves: RHEL-98490 + +* Wed Jul 16 2025 Zdenek Pytela - 42.1.2-1 +- Remove permissive domains +Resolves: RHEL-103661 +- Adjust modules list +Resolves: RHEL-103661 + +* Mon Jul 14 2025 Zdenek Pytela - 42.1.1-1 +- Rebase selinux-policy to the newest one available in Fedora 42 +Resolves: RHEL-54303 + +* Wed Jul 02 2025 Zdenek Pytela - 40.13.35-1 +- Remove duplicate summary header +Related: RHEL-87742 +- Allow irqbalance execute shell if irqbalance_run_unconfined is on +Resolves: RHEL-54019 +- virt: allow QEMU use of the qgs daemon for attestation +Resolves: RHEL-87742 +- qgs: add contrib module for TDX "qgs" daemon +Resolves: RHEL-87742 +- kernel: add interfaces for using SGX enclaves +Resolves: RHEL-87742 + +* Tue Jul 01 2025 Zdenek Pytela - 40.13.34-1 +- Allow systemd-coredump the sys_admin capability +Resolves: RHEL-97586 +- Dontaudit systemd-coredump the sys_resource capability +Resolves: RHEL-97586 +- Allow systemd-coredumpd sys_admin and sys_resource capabilities +Resolves: RHEL-97586 +- Allow systemd-coredump read nsfs files +Resolves: RHEL-97586 +- Dontaudit systemd-coredump sys_admin capability +Resolves: RHEL-97586 +- Allow svirt-tcg read init state +Resolves: RHEL-95725 +- Allow virtqemud create and unlink files in /etc/libvirt/ +Resolves: RHEL-95725 +- Allow virtqemud send a generic signal to passt +Resolves: RHEL-44994 +- Allow openvswitch ioctl vduse devices +Resolves: RHEL-93041 +- Label /dev/vduse/control and /dev/vduse/NAME devices +Resolves: RHEL-93041 +- Allow virtstoraged the sys_rawio capability +Resolves: RHEL-44639 +- Allow virtstoraged fsetid capability +Resolves: RHEL-44639 +- Allow virtqemud additional permissions on scsi generic chr files +Resolves: RHEL-44628 +- Allow irqbalance execute shell if irqbalance_run_unconfined is on +Resolves: RHEL-54019 +- Fix files_dontaudit_delete_all_files() +Resolves: RHEL-86789 +- Allow virtnodedev create mdevctl config dirs +Resolves: RHEL-98559 +- Allow cryptsetup-generator manage systemd unit files +Resolves: RHEL-98656 + +* Fri Jun 06 2025 Zdenek Pytela - 40.13.33-1 +- Allow systemd_generator read files in /proc and /sys +Resolves: RHEL-36740 +- Update irqbalance policy for using unconfined scripts +Resolves: RHEL-54019 +- Allow utempter use terminal multiplexor +Resolves: RHEL-56344 +- Allow virtqemud execute ovs-vsctl with a domain transition +Resolves: RHEL-65322 +- Allow mptcpd the net_admin capability +Resolves: RHEL-70730 +- Allow tomcat execute cracklib-check with a domain transition +Resolves: RHEL-82090 +- Update the files_search_mnt() interface +Resolves: RHEL-85178 +- Allow key.dns_resolve set attributes on the kernel key ring +Resolves: RHEL-91602 +- Allow switcheroo-control dbus chat with xdm +Resolves: RHEL-93535 +- Revert "Allow virt_domain write to virt_image_t files" +Resolves: RHEL-93773 + +* Thu May 29 2025 Zdenek Pytela - 40.13.32-1 +- Backport policy for additional systemd generators from rawhide +Resolves: RHEL-36740 +- Allow login_userdomain create /run/tlog directory with user_tmp_t +Resolves: RHEL-56344 +- Backport bootupd policy from current Fedora rawhide +Resolves: RHEL-86588 + +* Wed May 21 2025 Petr Lautrbach - 40.13.31-2 +- Build selinux-policy-extra packages +- Obsolete selinux-policy-epel packages + +* Tue May 20 2025 Zdenek Pytela - 40.13.31-1 +- Label /dev/diag as diagnostic_device_t +Resolves: RHEL-89804 +- Label SetroubleshootPrivileged.py with setroubleshootd_exec_t +Resolves: RHEL-87727 +- Allow syslogd watch syslog_conf_t directories +Resolves: RHEL-87648 +- Allow networkmanager send a general signal to iptables +Resolves: RHEL-86780 +- Define file equivalency for /var/etc +Resolves: RHEL-86678 +- Update bootupd policy when ESP is not mounted +Resolves: RHEL-86588 +- dontaudit execmem for modemmanager +Resolves: RHEL-86176 +- Allow systemd create journal pid files +Resolves: RHEL-72692 +- Allow virtqemud read/write/setattr input event devices +Resolves: RHEL-46385 + +* Mon Apr 28 2025 Zdenek Pytela - 40.13.30-1 +- Allow auditctl signal auditd +Resolves: RHEL-87418 +- Update bootupd policy for the removing-state-file test +Resolves: RHEL-87372 +- Allow systemd-user-runtime-dir get/set tmpfs quotas +Resolves: RHEL-86789 +- Allow systemd-user-runtime-dir delete gnome homedir content +Resolves: RHEL-86789 +- Confine /usr/lib/systemd/systemd-user-runtime-dir +Resolves: RHEL-86789 +- Allow system-dbusd list systemd-machined directories +Resolves: RHEL-86528 +- Allow NetworkManager create and use icmp_socket +Resolves: RHEL-86258 +- Allow tuned-ppd dbus chat with xdm +Resolves: RHEL-85849 +- Allow virt_domain write to virt_image_t files +Resolves: RHEL-85319 +- Allow rhsmcertd connect to systemd-machined +Resolves: RHEL-83925 +- Allow varnishd execute the prlimit64() syscall +Resolves: RHEL-77779 +- Allow systemd-machined the kill user-namespace capability +Resolves: RHEL-77087 +- Allow system_dbusd_t r/w unix stream sockets of unconfined_service_t +Resolves: RHEL-62185 +- Allow tlshd read network sysctls +Resolves: RHEL-74424 + +* Tue Apr 15 2025 Zdenek Pytela - 40.13.29-1 +- Revert "Dontaudit access of virt-related permissive domains" +Resolves: RHEL-79833 +- Remove permissive domains +Resolves: RHEL-82672 + +* Tue Apr 08 2025 Zdenek Pytela - 40.13.28-1 +- Change path of tuned and tuned-ppd to /usr/sbin +Resolves: RHEL-69450 +- Update the pcmsensor policy +Resolves: RHEL-80452 +- Allow dovecot-deliver read mail aliases +Resolves: RHEL-80153 +- Allow boothd connect to systemd-machined over a unix socket +Resolves: RHEL-75471 +- Allow chronyd-restricted sendto to chronyc +Resolves: RHEL-82299 +- Allow chronyc sendto to chronyd-restricted +Resolves: RHEL-82299 +- Allow cifs.idmap helper to set attributes on kernel keys +Resolves: RHEL-83921 +- Remove ktls from modules-filtered.lst +Resolves: RHEL-74424 + +* Mon Mar 31 2025 Zdenek Pytela - 40.13.27-1 +- Allow afterburn to mount and read config drives +Resolves: RHEL-82120 +- Update afterburn file transition policy +Resolves: RHEL-82120 +- Label /run/metadata with afterburn_runtime_t +Resolves: RHEL-82120 +- Allow afterburn list ssh home directory +Resolves: RHEL-82120 +- Confine tuned-ppd +Resolves: RHEL-69450 +- Update ktls policy +Resolves: RHEL-74424 +- Add the switcheroo module +Resolves: RHEL-83267 +- Update switcheroo policy +Resolves: RHEL-83267 +- Confine the switcheroo-control service +Resolves: RHEL-83267 + * Mon Feb 17 2025 Zdenek Pytela - 40.13.26-1 - Rename winbind_rpcd_* types to samba_dcerpcd_* Resolves: RHEL-14759 @@ -1316,185 +2029,4 @@ Resolves: RHEL-30455 - Update rpm configuration for the /var/run equivalency change Resolves: RHEL-36094 -* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 -- Only allow confined user domains to login locally without unconfined_login -- Add userdom_spec_domtrans_confined_admin_users interface -- Only allow admindomain to execute shell via ssh with ssh_sysadm_login -- Add userdom_spec_domtrans_admin_users interface -- Move ssh dyntrans to unconfined inside unconfined_login tunable policy -- Update ssh_role_template() for user ssh-agent type -- Allow init to inherit system DBus file descriptors -- Allow init to inherit fds from syslogd -- Allow any domain to inherit fds from rpm-ostree -- Update afterburn policy -- Allow init_t nnp domain transition to abrtd_t - -* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 -- Rename all /var/lock file context entries to /run/lock -- Rename all /var/run file context entries to /run -- Invert the "/var/run = /run" equivalency - -* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 -- Replace init domtrans rule for confined users to allow exec init -- Update dbus_role_template() to allow user service status -- Allow polkit status all systemd services -- Allow setroubleshootd create and use inherited io_uring -- Allow load_policy read and write generic ptys -- Allow gpg manage rpm cache -- Allow login_userdomain name_bind to howl and xmsg udp ports -- Allow rules for confined users logged in plasma -- Label /dev/iommu with iommu_device_t -- Remove duplicate file context entries in /run -- Dontaudit getty and plymouth the checkpoint_restore capability -- Allow su domains write login records -- Revert "Allow su domains write login records" -- Allow login_userdomain delete session dbusd tmp socket files -- Allow unix dgram sendto between exim processes -- Allow su domains write login records -- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on - -* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 -- Allow chronyd-restricted read chronyd key files -- Allow conntrackd_t to use bpf capability2 -- Allow systemd-networkd manage its runtime socket files -- Allow init_t nnp domain transition to colord_t -- Allow polkit status systemd services -- nova: Fix duplicate declarations -- Allow httpd work with PrivateTmp -- Add interfaces for watching and reading ifconfig_var_run_t -- Allow collectd read raw fixed disk device -- Allow collectd read udev pid files -- Set correct label on /etc/pki/pki-tomcat/kra -- Allow systemd domains watch system dbus pid socket files -- Allow certmonger read network sysctls -- Allow mdadm list stratisd data directories -- Allow syslog to run unconfined scripts conditionally -- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t -- Allow qatlib set attributes of vfio device files - -* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 -- Allow systemd-sleep set attributes of efivarfs files -- Allow samba-dcerpcd read public files -- Allow spamd_update_t the sys_ptrace capability in user namespace -- Allow bluetooth devices work with alsa -- Allow alsa get attributes filesystems with extended attributes - -* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 -- Limit %%selinux_requires to version, not release - -* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 -- Allow hypervkvp_t write access to NetworkManager_etc_rw_t -- Add interface for write-only access to NetworkManager rw conf -- Allow systemd-sleep send a message to syslog over a unix dgram socket -- Allow init create and use netlink netfilter socket -- Allow qatlib load kernel modules -- Allow qatlib run lspci -- Allow qatlib manage its private runtime socket files -- Allow qatlib read/write vfio devices -- Label /etc/redis.conf with redis_conf_t -- Remove the lockdown-class rules from the policy -- Allow init read all non-security socket files -- Replace redundant dnsmasq pattern macros -- Remove unneeded symlink perms in dnsmasq.if -- Add additions to dnsmasq interface -- Allow nvme_stas_t create and use netlink kobject uevent socket -- Allow collectd connect to statsd port -- Allow keepalived_t to use sys_ptrace of cap_userns -- Allow dovecot_auth_t connect to postgresql using UNIX socket - -* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 -- Make named_zone_t and named_var_run_t a part of the mountpoint attribute -- Allow sysadm execute traceroute in sysadm_t domain using sudo -- Allow sysadm execute tcpdump in sysadm_t domain using sudo -- Allow opafm search nfs directories -- Add support for syslogd unconfined scripts -- Allow gpsd use /dev/gnss devices -- Allow gpg read rpm cache -- Allow virtqemud additional permissions -- Allow virtqemud manage its private lock files -- Allow virtqemud use the io_uring api -- Allow ddclient send e-mail notifications -- Allow postfix_master_t map postfix data files -- Allow init create and use vsock sockets -- Allow thumb_t append to init unix domain stream sockets -- Label /dev/vas with vas_device_t -- Change domain_kernel_load_modules boolean to true -- Create interface selinux_watch_config and add it to SELinux users - -* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 -- Add afterburn to modules-targeted-contrib.conf -- Update cifs interfaces to include fs_search_auto_mountpoints() -- Allow sudodomain read var auth files -- Allow spamd_update_t read hardware state information -- Allow virtnetworkd domain transition on tc command execution -- Allow sendmail MTA connect to sendmail LDA -- Allow auditd read all domains process state -- Allow rsync read network sysctls -- Add dhcpcd bpf capability to run bpf programs -- Dontaudit systemd-hwdb dac_override capability -- Allow systemd-sleep create efivarfs files - -* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 -- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on -- Allow graphical applications work in Wayland -- Allow kdump work with PrivateTmp -- Allow dovecot-auth work with PrivateTmp -- Allow nfsd get attributes of all filesystems -- Allow unconfined_domain_type use io_uring cmd on domain -- ci: Only run Rawhide revdeps tests on the rawhide branch -- Label /var/run/auditd.state as auditd_var_run_t -- Allow fido-device-onboard (FDO) read the crack database -- Allow ip an explicit domain transition to other domains -- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t -- Allow winbind_rpcd_t processes access when samba_export_all_* is on -- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection -- Allow ntp to bind and connect to ntske port. -- Allow system_mail_t manage exim spool files and dirs -- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t -- Label /run/pcsd.socket with cluster_var_run_t -- ci: Run cockpit tests in PRs - -* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 -- Add map_read map_write to kernel_prog_run_bpf -- Allow systemd-fstab-generator read all symlinks -- Allow systemd-fstab-generator the dac_override capability -- Allow rpcbind read network sysctls -- Support using systemd containers -- Allow sysadm_t to connect to iscsid using a unix domain stream socket -- Add policy for coreos installer -- Add coreos_installer to modules-targeted-contrib.conf - -* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 -- Add policy for nvme-stas -- Confine systemd fstab,sysv,rc-local -- Label /etc/aliases.lmdb with etc_aliases_t -- Create policy for afterburn -- Add nvme_stas to modules-targeted-contrib.conf -- Add plans/tests.fmf - -* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 -- Add the virt_supplementary module to modules-targeted-contrib.conf -- Make new virt drivers permissive -- Split virt policy, introduce virt_supplementary module -- Allow apcupsd cgi scripts read /sys -- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes -- Allow kernel_t to manage and relabel all files -- Add missing optional_policy() to files_relabel_all_files() - -* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 -- Allow named and ndc use the io_uring api -- Deprecate common_anon_inode_perms usage -- Improve default file context(None) of /var/lib/authselect/backups -- Allow udev_t to search all directories with a filesystem type -- Implement proper anon_inode support -- Allow targetd write to the syslog pid sock_file -- Add ipa_pki_retrieve_key_exec() interface -- Allow kdumpctl_t to list all directories with a filesystem type -- Allow udev additional permissions -- Allow udev load kernel module -- Allow sysadm_t to mmap modules_object_t files -- Add the unconfined_read_files() and unconfined_list_dirs() interfaces -- Set default file context of HOME_DIR/tmp/.* to <> -- Allow kernel_generic_helper_t to execute mount(1) - ## END: Generated by rpmautospec diff --git a/sources b/sources index 82123ce9..e86a6389 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (container-selinux.tgz) = 85ca0aa03fe4477351cb530da30e4ceb0990663ad1e3faf4a7d7c3377d7b871a25ba94b8388eb27a0802996a5b001913bbb153d0b0b154d06f24e1f0c5138b50 -SHA512 (selinux-policy-061ed78.tar.gz) = d22ff5253c9c8446cded5dba2f34f421fb9f7d9e3df187afa090a385ae14ffc580b38090da88fa36d6b249a0d9e5abf002c8d9cbe3af9045a174ba213ccdc6d9 +SHA512 (container-selinux.tgz) = c3955d9c761ac5368bfa4ec1439d6952a82ae27a9a26157d8bdd20316a2b0e89ec7e3f6e1e156183def4df4cafc8f90378335ed1c296f516e241855d52554ec5 +SHA512 (selinux-policy-9e50303.tar.gz) = 4adc6bea2d3365d6280c6d7d7437b3064ece4142a3b0c9540265a03a75a95a74b3e33cd6f9e52d3fe444086792e3256918124ce1aa69ec66dd8050b86669cb14