* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1

- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() - Allow httpd_t domain to mmap tmp files - Allow tcsd_t domain to have dac_override capability - Allow cupsd_t to rename cupsd_etc_t files - Allow iptables_t domain to create rawip sockets - Allow amanda_t domain to mmap own tmpfs files - Allow fcoemon_t domain to write to sysfs_t dirs - Allow dovecot_auth_t domain to have dac_override capability - Allow geoclue_t domain to mmap own tmp files - Allow chronyc_t domain to read network state - Allow apcupsd_t domain to execute itself - Allow modemmanager_t domain to stream connect to sssd - Allow chonyc_t domain to rw userdomain pipes - Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks - Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files - Allow nagios_script_t domain to mmap nagios_spool_t files - Allow geoclue_t domain to mmap geoclue_var_lib_t files - Allow geoclue_t domain to map generic certs - Update munin_manage_var_lib_files to allow manage also dirs - Allow nsd_t domain to create new socket file in /var/run/nsd.ctl - Fix typo in virt SELinux policy module - Allow virtd_t domain to create netlink_socket - Allow rpm_t domain to write to audit - Allow nagios_script_t domain to mmap nagios_etc_t files - Update nscd_socket_use() to allow caller domain to stream connect to nscd_t - Allow kdumpctl_t domain to getattr fixed disk device in mls - Fix typo in stapserver policy - Dontaudit abrt_t domain to write to usr_t dirs - Revert "Allow rpcbind to bind on all unreserved udp ports" - Allow rpcbind to bind on all unreserved udp ports - Allow virtlogd to execute itself - Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files - Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs - Allos systemd to socket activate ibacm service - Allow dirsrv_t domain to mmap user_t files - Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files - Allow kdumpctl to write to files on all levels - Allow httpd_t domain to mmap httpd_config_t files - Allow sanlock_t domain to connectto to unix_stream_socket - Revert "Add same context for symlink as binary" - Allow mysql execute rsync - Update nfsd_t policy because of ganesha features - Allow conman to getattr devpts_t - Allow tomcat_domain to connect to smtp ports - Allow tomcat_t domain to mmap tomcat_var_lib_t files - Allow nagios_t domain to mmap nagios_log_t files - Allow kpropd_t domain to mmap krb5kdc_principal_t files - Allow kdumpctl_t domain to read fixed disk storage
2018-08-29 00:10:24 +02:00 · 2018-08-29 00:10:24 +02:00 · 046756d71a
parent cb2fee86ff
commit 046756d71a
3 changed files with 91 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -304,3 +304,5 @@ serefpolicy*
 /selinux-policy-e08b2da.tar.gz
 /selinux-policy-8555de5.tar.gz
 /selinux-policy-contrib-ab97c9d.tar.gz
+/selinux-policy-c8dfe84.tar.gz
+/selinux-policy-contrib-a342008.tar.gz
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 8555de535032724934dbb7fb0d592c4345fa4c28
+%global commit0 c8dfe84c09d2d197265f1d883f8b11527f5846c9
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 ab97c9dae9ef424a61dd503c5e139c7b099f6b34
+%global commit1 a3420086d85dcd5b7407c3101587047369c45ea1
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -28,8 +28,8 @@
 %define CHECKPOLICYVER 2.8
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.14.2
-Release: 32%{?dist}
+Version: 3.14.3
+Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@ -709,6 +709,88 @@ exit 0
 %endif

 %changelog
+* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
+- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
+- Add interface devicekit_mounton_var_lib()
+- Allow httpd_t domain to mmap tmp files
+- Allow tcsd_t domain to have dac_override capability
+- Allow cupsd_t to rename cupsd_etc_t files
+- Allow iptables_t domain to create rawip sockets
+- Allow amanda_t domain to mmap own tmpfs files
+- Allow fcoemon_t domain to write to sysfs_t dirs
+- Allow dovecot_auth_t domain to have dac_override capability
+- Allow geoclue_t domain to mmap own tmp files
+- Allow chronyc_t domain to read network state
+- Allow apcupsd_t domain to execute itself
+- Allow modemmanager_t domain to stream connect to sssd
+- Allow chonyc_t domain to rw userdomain pipes
+- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
+- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
+- Allow nagios_script_t domain to mmap nagios_spool_t files
+- Allow geoclue_t domain to mmap geoclue_var_lib_t files
+- Allow geoclue_t domain to map generic certs
+- Update munin_manage_var_lib_files to allow manage also dirs
+- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
+- Fix typo in virt SELinux policy module
+- Allow virtd_t domain to create netlink_socket
+- Allow rpm_t domain to write to audit
+- Allow nagios_script_t domain to mmap nagios_etc_t files
+- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
+- Allow kdumpctl_t domain to getattr fixed disk device in mls
+- Fix typo in stapserver policy
+- Dontaudit abrt_t domain to write to usr_t dirs
+- Revert "Allow rpcbind to bind on all unreserved udp ports"
+- Allow rpcbind to bind on all unreserved udp ports
+- Allow virtlogd to execute itself
+- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
+- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
+- Allos systemd to socket activate ibacm service
+- Allow dirsrv_t domain to mmap user_t files
+- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
+- Allow kdumpctl to write to files on all levels
+- Allow httpd_t domain to mmap httpd_config_t files
+- Allow sanlock_t domain to connectto to unix_stream_socket
+- Revert "Add same context for symlink as binary"
+- Allow mysql execute rsync
+- Update nfsd_t policy because of ganesha features
+- Allow conman to getattr devpts_t
+- Allow tomcat_domain to connect to smtp ports
+- Allow tomcat_t domain to mmap tomcat_var_lib_t files
+- Allow nagios_t domain to mmap nagios_log_t files
+- Allow kpropd_t domain to mmap krb5kdc_principal_t files
+- Allow kdumpctl_t domain to read fixed disk storage
+- Fix issue with aliases in apache interface file
+- Add same context for symlink as binary
+- Allow boltd_t to send logs to journal
+- Allow colord_use_nfs to allow colord also mmap nfs_t files
+- Allow mysqld_safe_t do execute itself
+- Allow smbd_t domain to chat via dbus with avahi daemon
+- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
+- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
+- Add alias httpd__script_t to _script_t to make sepolicy generate working
+- Allow dhcpc_t domain to read /dev/random
+- Allow systemd to mounton kernel system table
+- Allow systemd to mounton device_var_lib_t dirs
+- Label also chr_file /dev/mtd.* devices as fixed_disk_device_t
+- Allow syslogd_t domain to create netlink generic sockets
+- Label /dev/tpmrm[0-9]* as tpm_device_t
+- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t
+- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl
+- Allow insmod_t domain to read iptables pid files
+- Allow systemd to mounton /etc
+- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry
+- Allow xserver_t domain to start using systemd socket activation
+- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature
+- Associate several proc labels to fs_t
+- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run
+- Fix typo in syslogd policy
+- Update syslogd policy to make working elasticsearch
+- Label tcp and udp ports 9200 as wap_wsp_port
+- Allow few domains to rw inherited kdumpctl tmp pipes
+- label /var/lib/pgsql/data/log as postgresql_log_t
+- Allow sysadm_t domain to accept socket
+- Allow systemd to manage passwd_file_t
+
 * Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32
 - Fix issue with aliases in apache interface file
 - Add same context for symlink as binary
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (selinux-policy-8555de5.tar.gz) = 508749e491a927287f654ca43112c8f52ebee6e1d18b06dcbbd1271bc0f47a95332620bfa812b1562eacf3457ce5ad3d072d518919737e5ef1f691cb2788e99e
-SHA512 (selinux-policy-contrib-ab97c9d.tar.gz) = eb2b41519b8f9512263c786b88f6a5cc8be43d419dceb2f1528f03018203226d4659993ab1cc135a509be5b41568ce33590026eddc8cd0184c49aedb30778b04
-SHA512 (container-selinux.tgz) = 9ea0c3d432d9f875f57daf0c1e5097f3ca93b029492a9a30446962550f0d87bb3781e8f65dbcdfd7fc14dd219ca74100aa73b936707a1c6fca0d6dfbcf4b4a40
+SHA512 (selinux-policy-c8dfe84.tar.gz) = 1932e821f40e5f255580c9fd6ac48fdbe78ec86c89de04bba9a297e4971e4c96c3127ef890ab4a864b33f2230aad3b31b1aae08b509e501864763e3a53b11f05
+SHA512 (selinux-policy-contrib-a342008.tar.gz) = 3e49ff37fa815ff18ff9e6daa02c385b660ef9f63e7cdd475895f864834d5a8afd7f5355f2c5c936c370861f45606d82cf1c38c0f149ee7d3e7aba4e114adfbc
+SHA512 (container-selinux.tgz) = 5ec87fe001d2c6256d7e97963e9ab44fc1068cd0df251a7f40547505f2f6c8e9e20ff0056da9bce7d37afb6649da6dfe605248885293d5d39b48e378d2554570