* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14

- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
This commit is contained in:
Lukas Vrabec 2018-12-06 16:43:04 +01:00
parent 4086d43dcb
commit 22bdc94c2b
No known key found for this signature in database
GPG Key ID: 47201AC42F29CE06
3 changed files with 39 additions and 6 deletions

2
.gitignore vendored
View File

@ -325,3 +325,5 @@ serefpolicy*
/selinux-policy-62d90da.tar.gz
/selinux-policy-contrib-a01743f.tar.gz
/selinux-policy-4cbc1ae.tar.gz
/selinux-policy-contrib-a0e3869.tar.gz
/selinux-policy-509e071.tar.gz

View File

@ -1,11 +1,11 @@
# github repo with selinux-policy base sources
%global git0 https://github.com/fedora-selinux/selinux-policy
%global commit0 4cbc1ae7dbe8f08edee55b33d1031f0ee0c6ff4e
%global commit0 509e071fb3ded4e982bdf7fdcdc8bbc8f7779172
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# github repo with selinux-policy contrib sources
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
%global commit1 a01743f0cd8f3fd2aa99b32ff01697eeb0918b0c
%global commit1 a0e386916f8bbd64918c3ab98267431e8a78bfe9
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%define distro redhat
@ -29,7 +29,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.3
Release: 13%{?dist}
Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@ -709,6 +709,37 @@ exit 0
%endif
%changelog
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain

View File

@ -1,3 +1,3 @@
SHA512 (selinux-policy-contrib-a01743f.tar.gz) = 4f21db7f96599c85d4d16b275b693338f63c00083e0931e4658d93c23ee969f6670c7dcde67d54e3c55718577759bd14f7ee68c3e82896e0b6334077fbc98686
SHA512 (selinux-policy-4cbc1ae.tar.gz) = 0d6a5f5df9dda62b72ad037f124eed91e06d7657d15c0d6155b6e5449b6fca034c6ac1759fb5cb42ab39ea9973a5149403267afc21f15f849e86bea1d6b61f62
SHA512 (container-selinux.tgz) = d4cc25cfd87b9efd77424f3a799044a927488756e31bd157f59613acb0bb4da19013fc2e22ff9194b2ebfb6c57d33a98d7a1f76e9720f1ac8fa889b39807f0ac
SHA512 (selinux-policy-contrib-a0e3869.tar.gz) = ba019a31f71790b65f07fad44ffcab0d50d1b4a4086ea7f3b756d67895aac1b6e0d01514f192bc07c9ede1f35fe7b2ab28b7d3a159255e305d8c08e65d393427
SHA512 (selinux-policy-509e071.tar.gz) = cd4c1411aa74c43491d4482d537aa25b3dd670afef72e6da927e515cdb7ed66515f6d700c9bd02167f03faec3034733b6f61a82e58ba0a8ec2a85e14d33be3e2
SHA512 (container-selinux.tgz) = 1e5c84f12624082b371cf56228ea17a39c4ba55689ca65d85498b51e5762129fe34099061ef42d052577a64ae89d8abd60e15bc81878db251155438202ee0165