import selinux-policy-3.14.3-95.el8

2022-05-10 03:13:52 -04:00 · 2022-05-10 03:13:52 -04:00 · 2726dc48f2
parent 78bb608bb7
commit 2726dc48f2
4 changed files with 277 additions and 15 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-5e22faf.tar.gz
-SOURCES/selinux-policy-contrib-e231b3e.tar.gz
+SOURCES/selinux-policy-ab10edf.tar.gz
+SOURCES/selinux-policy-contrib-191fa35.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-f5ad37b9dabd129300229ec0751db35e6d62c332 SOURCES/container-selinux.tgz
-75b142d56c6376c30f8590e3807a904fbe307607 SOURCES/selinux-policy-5e22faf.tar.gz
-f386b378f3a398fc17dfbaa3acfacbeaeaf5e0b4 SOURCES/selinux-policy-contrib-e231b3e.tar.gz
+fe7cc80203e8b5272aa4a6525845f5c8d1671f84 SOURCES/container-selinux.tgz
+63370b22c1c8e54e56b2636c09d124754cb0f2d4 SOURCES/selinux-policy-ab10edf.tar.gz
+a102adb4e4b8dac769ab8ea166288c3c1dbc4967 SOURCES/selinux-policy-contrib-191fa35.tar.gz
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -2656,3 +2656,10 @@ rrdcached = module
 # stratisd
 #
 stratisd = module
+
+# Layer: contrib
+# Module: insights_client
+#
+# insights_client
+#
+insights_client = module
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 5e22fafd0a9ff7c9980fe25997d1f0e3dacc6486
+%global commit0 ab10edf9d09f671f038fbc4446ddc7d8ceb1a266
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 e231b3e6ede7acd60339cc7264bbdba1da6014d2
+%global commit1 191fa35ac243f8f3f1db0a9e95c77b6e308a16e9
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -24,12 +24,12 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 31
-%define POLICYCOREUTILSVER 2.9
+%define POLICYCOREUTILSVER 2.9-19
 %define CHECKPOLICYVER 2.9
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 80%{?dist}.2
+Release: 95%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -141,6 +141,7 @@ SELinux policy development and man page package
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
+%exclude %{_usr}/share/selinux/devel/include/contrib/container.if
 %dir %{_usr}/share/selinux/devel/html
 %{_usr}/share/selinux/devel/html/*html
 %{_usr}/share/selinux/devel/html/*css
@ -264,6 +265,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
 #%{_libexecdir}/selinux/selinux-factory-reset \
 #%{_unitdir}/selinux-factory-reset@.service \
 #%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service \
@ -715,17 +717,270 @@ exit 0
 %endif

 %changelog
-* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-80.2
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
-Resolves: rhbz#2027691
+* Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-95
+- Allow hostapd talk with unconfined user over unix domain dgram socket
+Resolves: rhbz#2064284

-* Wed Nov 10 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-80.1
+* Thu Mar 10 2022 Nikola Knazekova nknazeko@redhat.com - 3.14.3-94
+- Allow chronyd send a message to sosreport over datagram socket
+- Allow systemd-logind dbus chat with sosreport
+Resolves: rhbz#1949493
+
+* Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-93
+- Allow systemd-networkd dbus chat with sosreport
+Resolves: rhbz#1949493
+- Allow sysadm_passwd_t to relabel passwd and group files
+Resolves: rhbz#2053457
+- Allow confined sysadmin to use tool vipw
+Resolves: rhbz#2053457
+- Allow sosreport dbus chat with abrt and timedatex
+Resolves: rhbz#1949493
+- Remove unnecessary /etc file transitions for insights-client
+Resolves: rhbz#2031853
+- Label all content in /var/lib/insights with insights_client_var_lib_t
+Resolves: rhbz#2031853
+- Update insights-client policy
+Resolves: rhbz#2031853
+- Update insights-client: fc pattern, motd, writing to etc
+Resolves: rhbz#2031853
+- Remove permissive domain for insights_client_t
+Resolves: rhbz#2031853
+- New policy for insight-client
+Resolves: rhbz#2031853
+- Add the insights_client module
+Resolves: rhbz#2031853
+- Update specfile to buildrequire policycoreutils-devel >= 2.9-19
+- Add modules_checksum to %files
+
+* Wed Feb 16 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-92
+- Allow postfix_domain read dovecot certificates 1/2
+Resolves: rhbz#2043599
+- Dontaudit dirsrv search filesystem sysctl directories 1/2
+Resolves: rhbz#2042568
+- Allow chage domtrans to sssd
+Resolves: rhbz#2054718
+- Allow postfix_domain read dovecot certificates 2/2
+Resolves: rhbz#2043599
+- Allow ctdb create cluster logs
+Resolves: rhbz#2049481
+- Allow alsa bind mixer controls to led triggers
+Resolves: rhbz#2049730
+- Allow alsactl set group Process ID of a process
+Resolves: rhbz#2049730
+- Dontaudit mdadm list dirsrv tmpfs dirs
+Resolves: rhbz#2011174
+- Dontaudit dirsrv search filesystem sysctl directories 2/2
+Resolves: rhbz#2042568
+- Revert "Label NetworkManager-dispatcher service with separate context"
+Related: rhbz#1989070
+- Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager"
+Related: rhbz#1989070
+
+* Wed Feb 09 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-91
+- Allow NetworkManager-dispatcher dbus chat with NetworkManager
+Resolves: rhbz#1989070
+
+* Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-90
+- Fix badly indented used interfaces
+Resolves: rhbz#2030156
+- Allow domain transition to sssd_t 1/2
+Resolves: rhbz#2022690
+- Allow confined users to use kinit,klist and etc.
+Resolves: rhbz#2026598
+- Allow login_userdomain open/read/map system journal
+Resolves: rhbz#2046481
+- Allow init read stratis data symlinks 2/2
+Resolves: rhbz#2048514
+- Label new utility of NetworkManager nm-priv-helper
+Resolves: rhbz#1986076
+- Label NetworkManager-dispatcher service with separate context
+Resolves: rhbz#1989070
+- Allow domtrans to sssd_t and role access to sssd
+Resolves: rhbz#2030156
+- Creating interface sssd_run_sssd()
+Resolves: rhbz#2030156
+- Allow domain transition to sssd_t 2/2
+Resolves: rhbz#2022690
+- Allow timedatex dbus chat with xdm
+Resolves: rhbz#2040214
+- Associate stratisd_data_t with device filesystem
+Resolves: rhbz#2048514
+- Allow init read stratis data symlinks 1/2
+Resolves: rhbz#2048514
+- Allow rhsmcertd create rpm hawkey logs with correct label
+Resolves: rhbz#1949871
+
+* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-89
+- Allow NetworkManager talk with unconfined user over unix domain dgram socket
+Resolves: rhbz#2044048
+- Allow system_mail_t read inherited apache system content rw files
+Resolves: rhbz#1988339
+- Add apache_read_inherited_sys_content_rw_files() interface
+Related: rhbz#1988339
+- Allow rhsm-service execute its private memfd: objects
+Resolves: rhbz#2029873
+- Allow dirsrv read configfs files and directories
+Resolves: rhbz#2042568
+- Label /run/stratisd with stratisd_var_run_t
+Resolves: rhbz#1879585
+- Fix path for excluding container.if from selinux-policy-devel
+Resolves: rhbz#1861968
+
+* Thu Jan 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-88
+- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
+Related: rhbz#1907473
+
+* Tue Jan 18 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-87
+- Set default file context for /sys/firmware/efi/efivars
+Resolves: rhbz#2039458
+- Allow sysadm_t start and stop transient services
+Resolves: rhbz#2031065
+- Label /etc/cockpit/ws-certs.d with cert_t
+Resolves: rhbz#1907473
+- Allow smbcontrol read the network state information
+Resolves: rhbz#2033873
+- Allow rhsm-service read/write its private memfd: objects
+Resolves: rhbz#2029873
+- Allow fcoemon request the kernel to load a module
+Resolves: rhbz#1940317
+- Allow radiusd connect to the radacct port
+Resolves: rhbz#2038955
+- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
+Resolves: rhbz#2041447
+- Exclude container.if from selinux-policy-devel
+Resolves: rhbz#1861968
+
+* Mon Jan 03 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-86
+- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
+Resolves: rhbz#2013749
+- Allow local_login_t get attributes of tmpfs filesystems
+Resolves: rhbz#2015539
+- Allow local_login_t get attributes of filesystems with ext attributes
+Resolves: rhbz#2015539
+- Allow local_login_t domain to getattr cgroup filesystem
+Resolves: rhbz#2015539
+- Allow systemd read unlabeled symbolic links
+Resolves: rhbz#2021835
+- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
+Resolves: rhbz#1917879
+- Allow sudodomains execute passwd in the passwd domain
+Resolves: rhbz#1943572
+- Label authcompat.py with authconfig_exec_t
+Resolves: rhbz#1919122
+- Dontaudit pkcsslotd sys_admin capability
+Resolves: rhbz#2021887
+- Allow lldpd connect to snmpd with a unix domain stream socket
+Resolves: rhbz#1991029
+
+* Tue Dec 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-85
+- Allow unconfined_t to node_bind icmp_sockets in node_t domain
+Resolves: rhbz#2025445
+- Allow rhsmcertd get attributes of tmpfs_t filesystems
+Resolves: rhbz#2015820
+- The nfsdcld service is now confined by SELinux
+Resolves: rhbz#2026588
+- Allow smbcontrol use additional socket types
+Resolves: rhbz#2027740
+- Allow lldpd use an snmp subagent over a tcp socket
+Resolves: rhbz#2028379
+
+* Wed Nov 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-84
+- Allow sysadm_t read/write pkcs shared memory segments
+Resolves: rhbz#1965251
+- Allow sysadm_t connect to sanlock over a unix stream socket
+Resolves: rhbz#1965251
+- Allow sysadm_t dbus chat with sssd
+Resolves: rhbz#1965251
+- Allow sysadm_t set attributes on character device nodes
+Resolves: rhbz#1965251
+- Allow sysadm_t read and write watchdog devices
+Resolves: rhbz#1965251
+- Allow sysadm_t connect to cluster domains over a unix stream socket
+Resolves: rhbz#1965251
+- Allow sysadm_t dbus chat with tuned 2/2
+Resolves: rhbz#1965251
+- Update userdom_exec_user_tmp_files() with an entrypoint rule
+Resolves: rhbz#1920883
+- Allow sudodomain send a null signal to sshd processes
+Resolves: rhbz#1966945
+- Allow sysadm_t dbus chat with tuned 1/2
+Resolves: rhbz#1965251
+- Allow cloud-init dbus chat with systemd-logind
+Resolves: rhbz#2009769
+- Allow svnserve send mail from the system
+Resolves: rhbz#2004843
+- Allow svnserve_t domain to read system state
+Resolves: rhbz#2004843
+
+* Tue Nov 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-83
+- VQP: Include IANA-assigned TCP/1589
+Resolves: rhbz#1924038
+- Label port 3785/udp with bfd_echo
+Resolves: rhbz#1924038
+- Allow sysadm_t dbus chat with realmd_t
+Resolves: rhbz#2000488
+- Support sanlock VG automated recovery on storage access loss 1/2
+Resolves: rhbz#1985000
+- Revert "Support sanlock VG automated recovery on storage access loss"
+Resolves: rhbz#1985000
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- radius: Lexical sort of service-specific corenet rules by service name
+Resolves: rhbz#1924038
+- radius: Allow binding to the BDF Control and Echo ports
+Resolves: rhbz#1924038
+- radius: Allow binding to the DHCP client port
+Resolves: rhbz#1924038
+- radius: Allow net_raw; allow binding to the DHCP server ports
+Resolves: rhbz#1924038
+- Support hitless reloads feature in haproxy
+Resolves: rhbz#2015423
+- Allow redis get attributes of filesystems with extended attributes
+Resolves: rhbz#2015435
+- Support sanlock VG automated recovery on storage access loss 2/2
+Resolves: rhbz#1985000
+- Revert "Support sanlock VG automated recovery on storage access loss"
+Resolves: rhbz#1985000
+
+* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-82
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- Allow proper function sosreport in sysadmin role
+Resolves: rhbz#1965251
+- Allow systemd execute user bin files
+Resolves: rhbz#1860443
+- Label /dev/crypto/nx-gzip with accelerator_device_t
+Resolves: rhbz#2011166
+- Allow ipsec_t and login_userdomain named file transition in tmpfs
+Resolves: rhbz#2001599
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- Allow proper function sosreport via iotop
+Resolves: rhbz#1965251
+- Call pkcs_tmpfs_named_filetrans for certmonger
+Resolves: rhbz#2001599
+- Allow ibacm the net_raw and sys_rawio capabilities
+Resolves: rhbz#2010644
+- Support new PING_CHECK health checker in keepalived
+Resolves: rhbz#2010873
+- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script
+Resolves: rhbz#2011239
+
+* Mon Oct 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-81
 - Allow unconfined domains to bpf all other domains
-Resolves: rhbz#2015846
+Resolves: rhbz#1991443
+- Allow vmtools_unconfined_t domain transition to rpm_script_t
+Resolves: rhbz#1872245
+- Allow unbound connectto unix_stream_socket
+Resolves: rhbz#1905441
+- Label /usr/sbin/virtproxyd as virtd_exec_t
+Resolves: rhbz#1854332
+- Allow postfix_domain to sendto unix dgram sockets.
+Resolves: rhbz#1920521

 * Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-80
 - Allow rhsmcertd_t dbus chat with anaconda install_t
-Resolves: rhbz#2002666
+Resolves: rhbz#2004990

 * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
 - Introduce xdm_manage_bootloader booelan