From 04dfd0db74523ab8d5136089bb59cb3cbcc3db69 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 15 Apr 2025 10:50:26 +0200 Subject: [PATCH] * Tue Apr 15 2025 Zdenek Pytela - 40.13.29-1 - Revert "Dontaudit access of virt-related permissive domains" Resolves: RHEL-79833 - Remove permissive domains Resolves: RHEL-82672 --- changelog | 187 ++------------------------------------------ selinux-policy.spec | 4 +- sources | 4 +- 3 files changed, 10 insertions(+), 185 deletions(-) diff --git a/changelog b/changelog index 9c76fd42..827618ee 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,9 @@ +* Tue Apr 15 2025 Zdenek Pytela - 40.13.29-1 +- Revert "Dontaudit access of virt-related permissive domains" +Resolves: RHEL-79833 +- Remove permissive domains +Resolves: RHEL-82672 + * Tue Apr 08 2025 Zdenek Pytela - 40.13.28-1 - Change path of tuned and tuned-ppd to /usr/sbin Resolves: RHEL-69450 @@ -586,184 +592,3 @@ Resolves: RHEL-36073 Resolves: RHEL-30455 - Update rpm configuration for the /var/run equivalency change Resolves: RHEL-36094 - -* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 -- Only allow confined user domains to login locally without unconfined_login -- Add userdom_spec_domtrans_confined_admin_users interface -- Only allow admindomain to execute shell via ssh with ssh_sysadm_login -- Add userdom_spec_domtrans_admin_users interface -- Move ssh dyntrans to unconfined inside unconfined_login tunable policy -- Update ssh_role_template() for user ssh-agent type -- Allow init to inherit system DBus file descriptors -- Allow init to inherit fds from syslogd -- Allow any domain to inherit fds from rpm-ostree -- Update afterburn policy -- Allow init_t nnp domain transition to abrtd_t - -* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 -- Rename all /var/lock file context entries to /run/lock -- Rename all /var/run file context entries to /run -- Invert the "/var/run = /run" equivalency - -* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 -- Replace init domtrans rule for confined users to allow exec init -- Update dbus_role_template() to allow user service status -- Allow polkit status all systemd services -- Allow setroubleshootd create and use inherited io_uring -- Allow load_policy read and write generic ptys -- Allow gpg manage rpm cache -- Allow login_userdomain name_bind to howl and xmsg udp ports -- Allow rules for confined users logged in plasma -- Label /dev/iommu with iommu_device_t -- Remove duplicate file context entries in /run -- Dontaudit getty and plymouth the checkpoint_restore capability -- Allow su domains write login records -- Revert "Allow su domains write login records" -- Allow login_userdomain delete session dbusd tmp socket files -- Allow unix dgram sendto between exim processes -- Allow su domains write login records -- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on - -* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 -- Allow chronyd-restricted read chronyd key files -- Allow conntrackd_t to use bpf capability2 -- Allow systemd-networkd manage its runtime socket files -- Allow init_t nnp domain transition to colord_t -- Allow polkit status systemd services -- nova: Fix duplicate declarations -- Allow httpd work with PrivateTmp -- Add interfaces for watching and reading ifconfig_var_run_t -- Allow collectd read raw fixed disk device -- Allow collectd read udev pid files -- Set correct label on /etc/pki/pki-tomcat/kra -- Allow systemd domains watch system dbus pid socket files -- Allow certmonger read network sysctls -- Allow mdadm list stratisd data directories -- Allow syslog to run unconfined scripts conditionally -- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t -- Allow qatlib set attributes of vfio device files - -* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 -- Allow systemd-sleep set attributes of efivarfs files -- Allow samba-dcerpcd read public files -- Allow spamd_update_t the sys_ptrace capability in user namespace -- Allow bluetooth devices work with alsa -- Allow alsa get attributes filesystems with extended attributes - -* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 -- Limit %%selinux_requires to version, not release - -* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 -- Allow hypervkvp_t write access to NetworkManager_etc_rw_t -- Add interface for write-only access to NetworkManager rw conf -- Allow systemd-sleep send a message to syslog over a unix dgram socket -- Allow init create and use netlink netfilter socket -- Allow qatlib load kernel modules -- Allow qatlib run lspci -- Allow qatlib manage its private runtime socket files -- Allow qatlib read/write vfio devices -- Label /etc/redis.conf with redis_conf_t -- Remove the lockdown-class rules from the policy -- Allow init read all non-security socket files -- Replace redundant dnsmasq pattern macros -- Remove unneeded symlink perms in dnsmasq.if -- Add additions to dnsmasq interface -- Allow nvme_stas_t create and use netlink kobject uevent socket -- Allow collectd connect to statsd port -- Allow keepalived_t to use sys_ptrace of cap_userns -- Allow dovecot_auth_t connect to postgresql using UNIX socket - -* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 -- Make named_zone_t and named_var_run_t a part of the mountpoint attribute -- Allow sysadm execute traceroute in sysadm_t domain using sudo -- Allow sysadm execute tcpdump in sysadm_t domain using sudo -- Allow opafm search nfs directories -- Add support for syslogd unconfined scripts -- Allow gpsd use /dev/gnss devices -- Allow gpg read rpm cache -- Allow virtqemud additional permissions -- Allow virtqemud manage its private lock files -- Allow virtqemud use the io_uring api -- Allow ddclient send e-mail notifications -- Allow postfix_master_t map postfix data files -- Allow init create and use vsock sockets -- Allow thumb_t append to init unix domain stream sockets -- Label /dev/vas with vas_device_t -- Change domain_kernel_load_modules boolean to true -- Create interface selinux_watch_config and add it to SELinux users - -* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 -- Add afterburn to modules-targeted-contrib.conf -- Update cifs interfaces to include fs_search_auto_mountpoints() -- Allow sudodomain read var auth files -- Allow spamd_update_t read hardware state information -- Allow virtnetworkd domain transition on tc command execution -- Allow sendmail MTA connect to sendmail LDA -- Allow auditd read all domains process state -- Allow rsync read network sysctls -- Add dhcpcd bpf capability to run bpf programs -- Dontaudit systemd-hwdb dac_override capability -- Allow systemd-sleep create efivarfs files - -* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 -- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on -- Allow graphical applications work in Wayland -- Allow kdump work with PrivateTmp -- Allow dovecot-auth work with PrivateTmp -- Allow nfsd get attributes of all filesystems -- Allow unconfined_domain_type use io_uring cmd on domain -- ci: Only run Rawhide revdeps tests on the rawhide branch -- Label /var/run/auditd.state as auditd_var_run_t -- Allow fido-device-onboard (FDO) read the crack database -- Allow ip an explicit domain transition to other domains -- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t -- Allow winbind_rpcd_t processes access when samba_export_all_* is on -- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection -- Allow ntp to bind and connect to ntske port. -- Allow system_mail_t manage exim spool files and dirs -- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t -- Label /run/pcsd.socket with cluster_var_run_t -- ci: Run cockpit tests in PRs - -* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 -- Add map_read map_write to kernel_prog_run_bpf -- Allow systemd-fstab-generator read all symlinks -- Allow systemd-fstab-generator the dac_override capability -- Allow rpcbind read network sysctls -- Support using systemd containers -- Allow sysadm_t to connect to iscsid using a unix domain stream socket -- Add policy for coreos installer -- Add coreos_installer to modules-targeted-contrib.conf - -* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 -- Add policy for nvme-stas -- Confine systemd fstab,sysv,rc-local -- Label /etc/aliases.lmdb with etc_aliases_t -- Create policy for afterburn -- Add nvme_stas to modules-targeted-contrib.conf -- Add plans/tests.fmf - -* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 -- Add the virt_supplementary module to modules-targeted-contrib.conf -- Make new virt drivers permissive -- Split virt policy, introduce virt_supplementary module -- Allow apcupsd cgi scripts read /sys -- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes -- Allow kernel_t to manage and relabel all files -- Add missing optional_policy() to files_relabel_all_files() - -* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 -- Allow named and ndc use the io_uring api -- Deprecate common_anon_inode_perms usage -- Improve default file context(None) of /var/lib/authselect/backups -- Allow udev_t to search all directories with a filesystem type -- Implement proper anon_inode support -- Allow targetd write to the syslog pid sock_file -- Add ipa_pki_retrieve_key_exec() interface -- Allow kdumpctl_t to list all directories with a filesystem type -- Allow udev additional permissions -- Allow udev load kernel module -- Allow sysadm_t to mmap modules_object_t files -- Add the unconfined_read_files() and unconfined_list_dirs() interfaces -- Set default file context of HOME_DIR/tmp/.* to <> -- Allow kernel_generic_helper_t to execute mount(1) diff --git a/selinux-policy.spec b/selinux-policy.spec index b55e77a5..879abe7a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -5,7 +5,7 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 56617809a873ce441278ef56a5b7e92c3c2cb56d +%global commit dd6c29a55043e6ca80fae7ad0d2c4b9adf36e81e %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -17,7 +17,7 @@ %define CHECKPOLICYVER 3.8 Summary: SELinux policy configuration Name: selinux-policy -Version: 40.13.28 +Version: 40.13.29 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz diff --git a/sources b/sources index 6403bd74..00365fa2 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-5661780.tar.gz) = cba8c059ae53f95754a52d98cd1f39775ac4f09bba1051efa1de05ffcbf9b8d182987054429bffe42b3d3120a19ab2ae81fe920dc07e55a0d8d77fea2578d2f0 +SHA512 (selinux-policy-dd6c29a.tar.gz) = d986bc76e4a6a56b83dc910b77788c7305e59f5faf7b126e35ef94321eebdc74dd842d178af3460d9accf9bcefc1dca233c71dc5b885083b3fdcd20c4e8a3c1f SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 -SHA512 (container-selinux.tgz) = a27ed7c067ebe315882531a05aab929a98b9068044fc9b86921f69c1781b0b574223e72aedc40c29973ca9b0afd7202a257545192fbf29050649f00eb1c80080 +SHA512 (container-selinux.tgz) = 13f15d297eaedb1fa2cf4a71a8429eea8216289d3577f818fadf601ba394883d646105b7aff52c0d2de44cce4aa1798f589d906b746fff9641c8c14e9d4cac08