import selinux-policy-3.14.3-80.el8

2021-11-09 05:06:27 -05:00 · 2021-11-09 05:06:27 -05:00 · 2523996829
commit 2523996829
parent 8130e1f80f
5 changed files with 217 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-55f4df9.tar.gz
-SOURCES/selinux-policy-contrib-73a88dc.tar.gz
+SOURCES/selinux-policy-8f56f63.tar.gz
+SOURCES/selinux-policy-contrib-e231b3e.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-526c41eed592a718650dde4345718e26fc32b581 SOURCES/container-selinux.tgz
-c10a1f894f9a2b1eb2159c2c753d97a5ff788887 SOURCES/selinux-policy-55f4df9.tar.gz
-77721918853ad9706dc2189c1787587ee6c3b72e SOURCES/selinux-policy-contrib-73a88dc.tar.gz
+1e65dcb828792d3eba6cf15383ab9da3132e8b8b SOURCES/container-selinux.tgz
+672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz
+f386b378f3a398fc17dfbaa3acfacbeaeaf5e0b4 SOURCES/selinux-policy-contrib-e231b3e.tar.gz
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@ -17,3 +17,4 @@
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
+/var/usrlocal        /usr/local
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -720,13 +720,6 @@ git = module
 # 
 glance = module

-# Layer: contrib
-# Module: glusterd
-#  
-#  policy for glusterd service
-#
-glusterd =  module
-
 # Layer: apps
 # Module: gnome
 #
@ -2012,7 +2005,7 @@ timidity = off
 tmpreaper = module

 # Layer: contrib
-# Module: glusterd
+# Module: tomcat
 #  
 #  policy for tomcat service
 #
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 55f4df96a3aff2ed1791e428385e1967856eed49
+%global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 73a88dc7435b803ba860e8938c9611dd62ef6d5c
+%global commit1 e231b3e6ede7acd60339cc7264bbdba1da6014d2
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 67%{?dist}.2
+Release: 80%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -715,13 +715,215 @@ exit 0
 %endif

 %changelog
-* Thu Sep 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67.2
- Label /.k5identity file allow read of this file to rpc.gssd
-Resolves: rhbz#1995594
+* Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-80
+- Allow rhsmcertd_t dbus chat with anaconda install_t
+Resolves: rhbz#2002666

-* Tue Jun 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67.1
+* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
+- Introduce xdm_manage_bootloader booelan
+Resolves: rhbz#1994096
+- Rename samba_exec() to samba_exec_net()
+Resolves: rhbz#1855215
+- Allow sssd to set samba setting
+Resolves: rhbz#1855215
+- Allow dirsrv read slapd tmpfs files
+Resolves: rhbz#1843238
+- Allow rhsmcertd to create cache file in /var/cache/cloud-what
+Resolves: rhbz#1994718
+
+* Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-78
+- Label /usr/bin/Xwayland with xserver_exec_t
+Resolves: rhbz#1984584
+- Label /usr/libexec/gdm-runtime-config with xdm_exec_t
+Resolves: rhbz#1984584
+- Allow D-bus communication between avahi and sosreport
+Resolves: rhbz#1916397
+- Allow lldpad send to kdumpctl over a unix dgram socket
+Resolves: rhbz#1979121
+- Revert "Allow lldpad send to kdump over a unix dgram socket"
+Resolves: rhbz#1979121
+- Allow chronyc respond to a user chronyd instance
+Resolves: rhbz#1993104
+- Allow ptp4l respond to pmc
+Resolves: rhbz#1993104
+- Allow lldpad send to unconfined_t over a unix dgram socket
+Resolves: rhbz#1993270
+
+* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-77
+- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
+Resolves: rhbz#1887739
+- Allow sysadm to read/write scsi files and manage shadow
+Resolves: rhbz#1956302
+- Allow rhsmcertd execute gpg
+Resolves: rhbz#1887572
+- Allow lldpad send to kdump over a unix dgram socket
+Resolves: rhbz#1979121
+- Remove glusterd SELinux module from distribution policy
+Resolves: rhbz#1816718
+
+* Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-76
+- Allow login_userdomain read and map /var/lib/systemd files
+Resolves: rhbz#1965251
+- Allow sysadm acces to kernel module resources
+Resolves: rhbz#1965251
+- Allow sysadm to read/write scsi files and manage shadow
+Resolves: rhbz#1965251
+- Allow sysadm access to files_unconfined and bind rpc ports
+Resolves: rhbz#1965251
+- Allow sysadm read and view kernel keyrings
+Resolves: rhbz#1965251
+- Allow bootloader to read tuned etc files
+Resolves: rhbz#1965251
+- Update the policy for systemd-journal-upload
+Resolves: rhbz#1913414
+- Allow journal mmap and read var lib files
+Resolves: rhbz#1965251
+- Allow tuned to read rhsmcertd config files
+Resolves: rhbz#1965251
+- Allow bootloader to read tuned etc files
+Resolves: rhbz#1965251
+- Confine rhsm service and rhsm-facts service as rhsmcertd_t
+Resolves: rhbz#1846081
+- Allow virtlogd_t read process state of user domains
+Resolves: rhbz#1797899
+- Allow cockpit_ws_t get attributes of fs_t filesystems
+Resolves: rhbz#1979182
+
+* Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-75
+- Add the unconfined_dgram_send() interface
+Resolves: rhbz#1978562
+- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
+Resolves: rhbz#1936522
+- Add checkpoint_restore cap2 capability
+Resolves: rhbz#1973325
+- Allow fcoemon talk with unconfined user over unix domain datagram socket
+Resolves: rhbz#1978562
+- Allow hostapd bind UDP sockets to the dhcpd port
+Resolves: rhbz#1977676
+- Allow NetworkManager read and write z90crypt device
+Resolves: rhbz#1938203
+- Allow abrt_domain read and write z90crypt device
+Resolves: rhbz#1938203
+- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
+Resolves: rhbz#1937111
+- Allow mdadm read iscsi pid files
+Resolves: rhbz#1924716
+
+* Fri Jul 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-74
+- Allow dyntransition from sshd_t to unconfined_t
+Resolves: rhbz#1947841
+
+* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-73
+- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
+Resolves: rhbz#1947841
+- Allow transition from xdm domain to unconfined_t domain.
+Resolves: rhbz#1947841
+- Allow nftables read NetworkManager unnamed pipes
+Resolves: rhbz#1967857
+- Create a policy for systemd-journal-upload
+Resolves: rhbz#1913414
+- Add dev_getattr_infiniband_dev() interface.
+Resolves: rhbz#1972522
+- Allow tcpdump and nmap get attributes of infiniband_device_t
+Resolves: rhbz#1972522
+- Allow fcoemon create sysfs files
+Resolves: rhbz#1978562
+- Allow nftables read NetworkManager unnamed pipes
+Resolves: rhbz#1967857
+- Allow radius map its library files
+Resolves: rhbz#1854650
+- Allow arpwatch get attributes of infiniband_device_t devices
+Resolves: rhbz#1936522
+
+* Tue Jun 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-72
+- Allow systemd-sleep get attributes of fixed disk device nodes
+Resolves: rhbz#1931460
+- Allow systemd-sleep create hardware state information files
+Resolves: rhbz#1968610
+- virtiofs supports Xattrs and SELinux
+Resolves: rhbz#1899703
+- Label 4460/tcp port as ntske_port_t
+Resolves: rhbz#1961207
+- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
+Resolves: rhbz#1961207
+- Allow chronyd_t to accept and make NTS-KE connections
+Resolves: rhbz#1961207
+- Dontaudit NetworkManager write to initrc_tmp_t pipes
+Resolves: rhbz#1963162
+- Allow logrotate rotate container log files
+Resolves: rhbz#1892170
+- Allow rhsmd read process state of all domains and kernel threads
+Resolves: rhbz#1878020
+
+* Tue Jun 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-71
+- Allow nmap create and use rdma socket
+Resolves: rhbz#1844530
+- Label /.k5identity file allow read of this file to rpc.gssd
+Resolves: rhbz#1951093
 - Label /var/lib/kdump with kdump_var_lib_t
-Resolves: rhbz#1976260
+Resolves: rhbz#1965985
+- Label /run/libvirt/common with virt_common_var_run_t
+Resolves: rhbz#1966842
+
+* Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-70
+- Allow using opencryptoki for ipsec
+Resolves: rhbz#1894132
+- Remove all kernel_getattr_proc() interface calls
+Resolves: rhbz#1967125
+- Allow domain stat /proc filesystem
+Resolves: rhbz#1967125
+- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
+Resolves: rhbz#1969725
+- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
+Resolves: rhbz#1894132
+- Allow using opencryptoki for certmonger
+Resolves: rhbz#1894132
+- install_t: Allow NoNewPriv transition from systemd
+Resolves: rhbz#1955547
+- Remove all kernel_getattr_proc() interface calls
+Resolves: rhbz#1967125
+- Allow httpd_sys_script_t read, write, and map hugetlbfs files
+Resolves: rhbz#1966133
+
+* Wed Jun 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-69
+- Add /var/usrlocal equivalency rule
+Resolves: rhbz#1943381
+- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
+Resolves: rhbz#1943381
+- Label /dev/trng with random_device_t
+Resolves: rhbz#1934483
+- Allow systemd-sleep transition to sysstat_t
+Resolves: rhbz#1927551
+- Allow systemd-sleep transition to tlp_t
+Resolves: rhbz#1927551
+- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
+Resolves: rhbz#1927551
+- Allow systemd-sleep execute generic programs
+Resolves: rhbz#1948070
+- Allow systemd-sleep execute shell
+Resolves: rhbz#1954358
+- Allow nsswitch_domain read init pid lnk_files
+Resolves: rhbz#1860924
+- Introduce logging_syslogd_list_non_security_dirs tunable
+Resolves: rhbz#1823669
+- Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_t
+Resolves: rhbz#1927551
+- Change param description in cron interfaces to userdomain_prefix
+Resolves: rhbz#1801249
+- Add missing declaration in rpm_named_filetrans()
+Resolves: rhbz#1801249
+
+* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-68
+- Allow pluto IKEv2 / ESP over TCP
+Resolves: rhbz#1931848
+- Label SDC(scini) Dell Driver
+Resolves: rhbz#1936882
+- Add file context specification for /var/tmp/tmp-inst
+Resolves: rhbz#1919253
+- Allow virtlogd_t to create virt_var_lockd_t dir
+Resolves: rhbz#1941464
+- Allow cups-lpd read its private runtime socket files
+Resolves: rhbz#1919399

 * Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67
 - Allow systemd the audit_control capability conditionally