diff --git a/.gitignore b/.gitignore index c2c88c35..271aee17 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-55f4df9.tar.gz -SOURCES/selinux-policy-contrib-73a88dc.tar.gz +SOURCES/selinux-policy-8f56f63.tar.gz +SOURCES/selinux-policy-contrib-e231b3e.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index c4abb928..8ba77ee1 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -526c41eed592a718650dde4345718e26fc32b581 SOURCES/container-selinux.tgz -c10a1f894f9a2b1eb2159c2c753d97a5ff788887 SOURCES/selinux-policy-55f4df9.tar.gz -77721918853ad9706dc2189c1787587ee6c3b72e SOURCES/selinux-policy-contrib-73a88dc.tar.gz +1e65dcb828792d3eba6cf15383ab9da3132e8b8b SOURCES/container-selinux.tgz +672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz +f386b378f3a398fc17dfbaa3acfacbeaeaf5e0b4 SOURCES/selinux-policy-contrib-e231b3e.tar.gz diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist index f64b2317..0f127d96 100644 --- a/SOURCES/file_contexts.subs_dist +++ b/SOURCES/file_contexts.subs_dist @@ -17,3 +17,4 @@ /var/roothome /root /sbin /usr/sbin /sysroot/tmp /tmp +/var/usrlocal /usr/local diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 7c6c66dd..de87626f 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -720,13 +720,6 @@ git = module # glance = module -# Layer: contrib -# Module: glusterd -# -# policy for glusterd service -# -glusterd = module - # Layer: apps # Module: gnome # @@ -2012,7 +2005,7 @@ timidity = off tmpreaper = module # Layer: contrib -# Module: glusterd +# Module: tomcat # # policy for tomcat service # diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index d4032209..fae0cc81 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 55f4df96a3aff2ed1791e428385e1967856eed49 +%global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 73a88dc7435b803ba860e8938c9611dd62ef6d5c +%global commit1 e231b3e6ede7acd60339cc7264bbdba1da6014d2 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 67%{?dist}.2 +Release: 80%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -715,13 +715,215 @@ exit 0 %endif %changelog -* Thu Sep 02 2021 Zdenek Pytela - 3.14.3-67.2 -- Label /.k5identity file allow read of this file to rpc.gssd -Resolves: rhbz#1995594 +* Thu Sep 16 2021 Zdenek Pytela - 3.14.3-80 +- Allow rhsmcertd_t dbus chat with anaconda install_t +Resolves: rhbz#2002666 -* Tue Jun 29 2021 Zdenek Pytela - 3.14.3-67.1 +* Fri Aug 27 2021 Zdenek Pytela - 3.14.3-79 +- Introduce xdm_manage_bootloader booelan +Resolves: rhbz#1994096 +- Rename samba_exec() to samba_exec_net() +Resolves: rhbz#1855215 +- Allow sssd to set samba setting +Resolves: rhbz#1855215 +- Allow dirsrv read slapd tmpfs files +Resolves: rhbz#1843238 +- Allow rhsmcertd to create cache file in /var/cache/cloud-what +Resolves: rhbz#1994718 + +* Wed Aug 25 2021 Zdenek Pytela - 3.14.3-78 +- Label /usr/bin/Xwayland with xserver_exec_t +Resolves: rhbz#1984584 +- Label /usr/libexec/gdm-runtime-config with xdm_exec_t +Resolves: rhbz#1984584 +- Allow D-bus communication between avahi and sosreport +Resolves: rhbz#1916397 +- Allow lldpad send to kdumpctl over a unix dgram socket +Resolves: rhbz#1979121 +- Revert "Allow lldpad send to kdump over a unix dgram socket" +Resolves: rhbz#1979121 +- Allow chronyc respond to a user chronyd instance +Resolves: rhbz#1993104 +- Allow ptp4l respond to pmc +Resolves: rhbz#1993104 +- Allow lldpad send to unconfined_t over a unix dgram socket +Resolves: rhbz#1993270 + +* Thu Aug 12 2021 Zdenek Pytela - 3.14.3-77 +- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" +Resolves: rhbz#1887739 +- Allow sysadm to read/write scsi files and manage shadow +Resolves: rhbz#1956302 +- Allow rhsmcertd execute gpg +Resolves: rhbz#1887572 +- Allow lldpad send to kdump over a unix dgram socket +Resolves: rhbz#1979121 +- Remove glusterd SELinux module from distribution policy +Resolves: rhbz#1816718 + +* Tue Aug 10 2021 Zdenek Pytela - 3.14.3-76 +- Allow login_userdomain read and map /var/lib/systemd files +Resolves: rhbz#1965251 +- Allow sysadm acces to kernel module resources +Resolves: rhbz#1965251 +- Allow sysadm to read/write scsi files and manage shadow +Resolves: rhbz#1965251 +- Allow sysadm access to files_unconfined and bind rpc ports +Resolves: rhbz#1965251 +- Allow sysadm read and view kernel keyrings +Resolves: rhbz#1965251 +- Allow bootloader to read tuned etc files +Resolves: rhbz#1965251 +- Update the policy for systemd-journal-upload +Resolves: rhbz#1913414 +- Allow journal mmap and read var lib files +Resolves: rhbz#1965251 +- Allow tuned to read rhsmcertd config files +Resolves: rhbz#1965251 +- Allow bootloader to read tuned etc files +Resolves: rhbz#1965251 +- Confine rhsm service and rhsm-facts service as rhsmcertd_t +Resolves: rhbz#1846081 +- Allow virtlogd_t read process state of user domains +Resolves: rhbz#1797899 +- Allow cockpit_ws_t get attributes of fs_t filesystems +Resolves: rhbz#1979182 + +* Thu Jul 29 2021 Zdenek Pytela - 3.14.3-75 +- Add the unconfined_dgram_send() interface +Resolves: rhbz#1978562 +- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() +Resolves: rhbz#1936522 +- Add checkpoint_restore cap2 capability +Resolves: rhbz#1973325 +- Allow fcoemon talk with unconfined user over unix domain datagram socket +Resolves: rhbz#1978562 +- Allow hostapd bind UDP sockets to the dhcpd port +Resolves: rhbz#1977676 +- Allow NetworkManager read and write z90crypt device +Resolves: rhbz#1938203 +- Allow abrt_domain read and write z90crypt device +Resolves: rhbz#1938203 +- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t +Resolves: rhbz#1937111 +- Allow mdadm read iscsi pid files +Resolves: rhbz#1924716 + +* Fri Jul 16 2021 Zdenek Pytela - 3.14.3-74 +- Allow dyntransition from sshd_t to unconfined_t +Resolves: rhbz#1947841 + +* Wed Jul 14 2021 Zdenek Pytela - 3.14.3-73 +- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template +Resolves: rhbz#1947841 +- Allow transition from xdm domain to unconfined_t domain. +Resolves: rhbz#1947841 +- Allow nftables read NetworkManager unnamed pipes +Resolves: rhbz#1967857 +- Create a policy for systemd-journal-upload +Resolves: rhbz#1913414 +- Add dev_getattr_infiniband_dev() interface. +Resolves: rhbz#1972522 +- Allow tcpdump and nmap get attributes of infiniband_device_t +Resolves: rhbz#1972522 +- Allow fcoemon create sysfs files +Resolves: rhbz#1978562 +- Allow nftables read NetworkManager unnamed pipes +Resolves: rhbz#1967857 +- Allow radius map its library files +Resolves: rhbz#1854650 +- Allow arpwatch get attributes of infiniband_device_t devices +Resolves: rhbz#1936522 + +* Tue Jun 29 2021 Zdenek Pytela - 3.14.3-72 +- Allow systemd-sleep get attributes of fixed disk device nodes +Resolves: rhbz#1931460 +- Allow systemd-sleep create hardware state information files +Resolves: rhbz#1968610 +- virtiofs supports Xattrs and SELinux +Resolves: rhbz#1899703 +- Label 4460/tcp port as ntske_port_t +Resolves: rhbz#1961207 +- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. +Resolves: rhbz#1961207 +- Allow chronyd_t to accept and make NTS-KE connections +Resolves: rhbz#1961207 +- Dontaudit NetworkManager write to initrc_tmp_t pipes +Resolves: rhbz#1963162 +- Allow logrotate rotate container log files +Resolves: rhbz#1892170 +- Allow rhsmd read process state of all domains and kernel threads +Resolves: rhbz#1878020 + +* Tue Jun 15 2021 Zdenek Pytela - 3.14.3-71 +- Allow nmap create and use rdma socket +Resolves: rhbz#1844530 +- Label /.k5identity file allow read of this file to rpc.gssd +Resolves: rhbz#1951093 - Label /var/lib/kdump with kdump_var_lib_t -Resolves: rhbz#1976260 +Resolves: rhbz#1965985 +- Label /run/libvirt/common with virt_common_var_run_t +Resolves: rhbz#1966842 + +* Wed Jun 09 2021 Zdenek Pytela - 3.14.3-70 +- Allow using opencryptoki for ipsec +Resolves: rhbz#1894132 +- Remove all kernel_getattr_proc() interface calls +Resolves: rhbz#1967125 +- Allow domain stat /proc filesystem +Resolves: rhbz#1967125 +- Allow pkcs-slotd create and use netlink_kobject_uevent_socket +Resolves: rhbz#1969725 +- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() +Resolves: rhbz#1894132 +- Allow using opencryptoki for certmonger +Resolves: rhbz#1894132 +- install_t: Allow NoNewPriv transition from systemd +Resolves: rhbz#1955547 +- Remove all kernel_getattr_proc() interface calls +Resolves: rhbz#1967125 +- Allow httpd_sys_script_t read, write, and map hugetlbfs files +Resolves: rhbz#1966133 + +* Wed Jun 02 2021 Zdenek Pytela - 3.14.3-69 +- Add /var/usrlocal equivalency rule +Resolves: rhbz#1943381 +- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t +Resolves: rhbz#1943381 +- Label /dev/trng with random_device_t +Resolves: rhbz#1934483 +- Allow systemd-sleep transition to sysstat_t +Resolves: rhbz#1927551 +- Allow systemd-sleep transition to tlp_t +Resolves: rhbz#1927551 +- Allow systemd-sleep transition to unconfined_service_t on bin_t executables +Resolves: rhbz#1927551 +- Allow systemd-sleep execute generic programs +Resolves: rhbz#1948070 +- Allow systemd-sleep execute shell +Resolves: rhbz#1954358 +- Allow nsswitch_domain read init pid lnk_files +Resolves: rhbz#1860924 +- Introduce logging_syslogd_list_non_security_dirs tunable +Resolves: rhbz#1823669 +- Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_t +Resolves: rhbz#1927551 +- Change param description in cron interfaces to userdomain_prefix +Resolves: rhbz#1801249 +- Add missing declaration in rpm_named_filetrans() +Resolves: rhbz#1801249 + +* Thu May 20 2021 Zdenek Pytela - 3.14.3-68 +- Allow pluto IKEv2 / ESP over TCP +Resolves: rhbz#1931848 +- Label SDC(scini) Dell Driver +Resolves: rhbz#1936882 +- Add file context specification for /var/tmp/tmp-inst +Resolves: rhbz#1919253 +- Allow virtlogd_t to create virt_var_lockd_t dir +Resolves: rhbz#1941464 +- Allow cups-lpd read its private runtime socket files +Resolves: rhbz#1919399 * Mon Mar 15 2021 Zdenek Pytela - 3.14.3-67 - Allow systemd the audit_control capability conditionally