From 2726dc48f2eb8b825e0250f49ce684081e598625 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:13:52 -0400 Subject: [PATCH] import selinux-policy-3.14.3-95.el8 --- .gitignore | 4 +- .selinux-policy.metadata | 6 +- SOURCES/modules-targeted-contrib.conf | 7 + SPECS/selinux-policy.spec | 275 +++++++++++++++++++++++++- 4 files changed, 277 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index d498299..14e5cc4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-5e22faf.tar.gz -SOURCES/selinux-policy-contrib-e231b3e.tar.gz +SOURCES/selinux-policy-ab10edf.tar.gz +SOURCES/selinux-policy-contrib-191fa35.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index b7bd335..07f0c3a 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -f5ad37b9dabd129300229ec0751db35e6d62c332 SOURCES/container-selinux.tgz -75b142d56c6376c30f8590e3807a904fbe307607 SOURCES/selinux-policy-5e22faf.tar.gz -f386b378f3a398fc17dfbaa3acfacbeaeaf5e0b4 SOURCES/selinux-policy-contrib-e231b3e.tar.gz +fe7cc80203e8b5272aa4a6525845f5c8d1671f84 SOURCES/container-selinux.tgz +63370b22c1c8e54e56b2636c09d124754cb0f2d4 SOURCES/selinux-policy-ab10edf.tar.gz +a102adb4e4b8dac769ab8ea166288c3c1dbc4967 SOURCES/selinux-policy-contrib-191fa35.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index de87626..e683239 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2656,3 +2656,10 @@ rrdcached = module # stratisd # stratisd = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 87d5f78..e988220 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 5e22fafd0a9ff7c9980fe25997d1f0e3dacc6486 +%global commit0 ab10edf9d09f671f038fbc4446ddc7d8ceb1a266 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 e231b3e6ede7acd60339cc7264bbdba1da6014d2 +%global commit1 191fa35ac243f8f3f1db0a9e95c77b6e308a16e9 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -24,12 +24,12 @@ %define BUILD_MLS 1 %endif %define POLICYVER 31 -%define POLICYCOREUTILSVER 2.9 +%define POLICYCOREUTILSVER 2.9-19 %define CHECKPOLICYVER 2.9 Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 80%{?dist}.2 +Release: 95%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -141,6 +141,7 @@ SELinux policy development and man page package %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* +%exclude %{_usr}/share/selinux/devel/include/contrib/container.if %dir %{_usr}/share/selinux/devel/html %{_usr}/share/selinux/devel/html/*html %{_usr}/share/selinux/devel/html/*css @@ -264,6 +265,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ #%{_libexecdir}/selinux/selinux-factory-reset \ #%{_unitdir}/selinux-factory-reset@.service \ #%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service \ @@ -715,17 +717,270 @@ exit 0 %endif %changelog -* Fri Dec 10 2021 Zdenek Pytela - 3.14.3-80.2 -- Allow unconfined_t to node_bind icmp_sockets in node_t domain -Resolves: rhbz#2027691 +* Thu Mar 24 2022 Zdenek Pytela - 3.14.3-95 +- Allow hostapd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064284 -* Wed Nov 10 2021 Zdenek Pytela - 3.14.3-80.1 +* Thu Mar 10 2022 Nikola Knazekova nknazeko@redhat.com - 3.14.3-94 +- Allow chronyd send a message to sosreport over datagram socket +- Allow systemd-logind dbus chat with sosreport +Resolves: rhbz#1949493 + +* Thu Feb 24 2022 Zdenek Pytela - 3.14.3-93 +- Allow systemd-networkd dbus chat with sosreport +Resolves: rhbz#1949493 +- Allow sysadm_passwd_t to relabel passwd and group files +Resolves: rhbz#2053457 +- Allow confined sysadmin to use tool vipw +Resolves: rhbz#2053457 +- Allow sosreport dbus chat with abrt and timedatex +Resolves: rhbz#1949493 +- Remove unnecessary /etc file transitions for insights-client +Resolves: rhbz#2031853 +- Label all content in /var/lib/insights with insights_client_var_lib_t +Resolves: rhbz#2031853 +- Update insights-client policy +Resolves: rhbz#2031853 +- Update insights-client: fc pattern, motd, writing to etc +Resolves: rhbz#2031853 +- Remove permissive domain for insights_client_t +Resolves: rhbz#2031853 +- New policy for insight-client +Resolves: rhbz#2031853 +- Add the insights_client module +Resolves: rhbz#2031853 +- Update specfile to buildrequire policycoreutils-devel >= 2.9-19 +- Add modules_checksum to %files + +* Wed Feb 16 2022 Zdenek Pytela - 3.14.3-92 +- Allow postfix_domain read dovecot certificates 1/2 +Resolves: rhbz#2043599 +- Dontaudit dirsrv search filesystem sysctl directories 1/2 +Resolves: rhbz#2042568 +- Allow chage domtrans to sssd +Resolves: rhbz#2054718 +- Allow postfix_domain read dovecot certificates 2/2 +Resolves: rhbz#2043599 +- Allow ctdb create cluster logs +Resolves: rhbz#2049481 +- Allow alsa bind mixer controls to led triggers +Resolves: rhbz#2049730 +- Allow alsactl set group Process ID of a process +Resolves: rhbz#2049730 +- Dontaudit mdadm list dirsrv tmpfs dirs +Resolves: rhbz#2011174 +- Dontaudit dirsrv search filesystem sysctl directories 2/2 +Resolves: rhbz#2042568 +- Revert "Label NetworkManager-dispatcher service with separate context" +Related: rhbz#1989070 +- Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager" +Related: rhbz#1989070 + +* Wed Feb 09 2022 Zdenek Pytela - 3.14.3-91 +- Allow NetworkManager-dispatcher dbus chat with NetworkManager +Resolves: rhbz#1989070 + +* Fri Feb 04 2022 Zdenek Pytela - 3.14.3-90 +- Fix badly indented used interfaces +Resolves: rhbz#2030156 +- Allow domain transition to sssd_t 1/2 +Resolves: rhbz#2022690 +- Allow confined users to use kinit,klist and etc. +Resolves: rhbz#2026598 +- Allow login_userdomain open/read/map system journal +Resolves: rhbz#2046481 +- Allow init read stratis data symlinks 2/2 +Resolves: rhbz#2048514 +- Label new utility of NetworkManager nm-priv-helper +Resolves: rhbz#1986076 +- Label NetworkManager-dispatcher service with separate context +Resolves: rhbz#1989070 +- Allow domtrans to sssd_t and role access to sssd +Resolves: rhbz#2030156 +- Creating interface sssd_run_sssd() +Resolves: rhbz#2030156 +- Allow domain transition to sssd_t 2/2 +Resolves: rhbz#2022690 +- Allow timedatex dbus chat with xdm +Resolves: rhbz#2040214 +- Associate stratisd_data_t with device filesystem +Resolves: rhbz#2048514 +- Allow init read stratis data symlinks 1/2 +Resolves: rhbz#2048514 +- Allow rhsmcertd create rpm hawkey logs with correct label +Resolves: rhbz#1949871 + +* Wed Jan 26 2022 Zdenek Pytela - 3.14.3-89 +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2044048 +- Allow system_mail_t read inherited apache system content rw files +Resolves: rhbz#1988339 +- Add apache_read_inherited_sys_content_rw_files() interface +Related: rhbz#1988339 +- Allow rhsm-service execute its private memfd: objects +Resolves: rhbz#2029873 +- Allow dirsrv read configfs files and directories +Resolves: rhbz#2042568 +- Label /run/stratisd with stratisd_var_run_t +Resolves: rhbz#1879585 +- Fix path for excluding container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Thu Jan 20 2022 Zdenek Pytela - 3.14.3-88 +- Revert "Label /etc/cockpit/ws-certs.d with cert_t" +Related: rhbz#1907473 + +* Tue Jan 18 2022 Zdenek Pytela - 3.14.3-87 +- Set default file context for /sys/firmware/efi/efivars +Resolves: rhbz#2039458 +- Allow sysadm_t start and stop transient services +Resolves: rhbz#2031065 +- Label /etc/cockpit/ws-certs.d with cert_t +Resolves: rhbz#1907473 +- Allow smbcontrol read the network state information +Resolves: rhbz#2033873 +- Allow rhsm-service read/write its private memfd: objects +Resolves: rhbz#2029873 +- Allow fcoemon request the kernel to load a module +Resolves: rhbz#1940317 +- Allow radiusd connect to the radacct port +Resolves: rhbz#2038955 +- Label /var/lib/shorewall6-lite with shorewall_var_lib_t +Resolves: rhbz#2041447 +- Exclude container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Mon Jan 03 2022 Zdenek Pytela - 3.14.3-86 +- Allow sysadm execute sysadmctl in sysadm_t domain using sudo +Resolves: rhbz#2013749 +- Allow local_login_t get attributes of tmpfs filesystems +Resolves: rhbz#2015539 +- Allow local_login_t get attributes of filesystems with ext attributes +Resolves: rhbz#2015539 +- Allow local_login_t domain to getattr cgroup filesystem +Resolves: rhbz#2015539 +- Allow systemd read unlabeled symbolic links +Resolves: rhbz#2021835 +- Allow userdomains use pam_ssh_agent_auth for passwordless sudo +Resolves: rhbz#1917879 +- Allow sudodomains execute passwd in the passwd domain +Resolves: rhbz#1943572 +- Label authcompat.py with authconfig_exec_t +Resolves: rhbz#1919122 +- Dontaudit pkcsslotd sys_admin capability +Resolves: rhbz#2021887 +- Allow lldpd connect to snmpd with a unix domain stream socket +Resolves: rhbz#1991029 + +* Tue Dec 07 2021 Zdenek Pytela - 3.14.3-85 +- Allow unconfined_t to node_bind icmp_sockets in node_t domain +Resolves: rhbz#2025445 +- Allow rhsmcertd get attributes of tmpfs_t filesystems +Resolves: rhbz#2015820 +- The nfsdcld service is now confined by SELinux +Resolves: rhbz#2026588 +- Allow smbcontrol use additional socket types +Resolves: rhbz#2027740 +- Allow lldpd use an snmp subagent over a tcp socket +Resolves: rhbz#2028379 + +* Wed Nov 24 2021 Zdenek Pytela - 3.14.3-84 +- Allow sysadm_t read/write pkcs shared memory segments +Resolves: rhbz#1965251 +- Allow sysadm_t connect to sanlock over a unix stream socket +Resolves: rhbz#1965251 +- Allow sysadm_t dbus chat with sssd +Resolves: rhbz#1965251 +- Allow sysadm_t set attributes on character device nodes +Resolves: rhbz#1965251 +- Allow sysadm_t read and write watchdog devices +Resolves: rhbz#1965251 +- Allow sysadm_t connect to cluster domains over a unix stream socket +Resolves: rhbz#1965251 +- Allow sysadm_t dbus chat with tuned 2/2 +Resolves: rhbz#1965251 +- Update userdom_exec_user_tmp_files() with an entrypoint rule +Resolves: rhbz#1920883 +- Allow sudodomain send a null signal to sshd processes +Resolves: rhbz#1966945 +- Allow sysadm_t dbus chat with tuned 1/2 +Resolves: rhbz#1965251 +- Allow cloud-init dbus chat with systemd-logind +Resolves: rhbz#2009769 +- Allow svnserve send mail from the system +Resolves: rhbz#2004843 +- Allow svnserve_t domain to read system state +Resolves: rhbz#2004843 + +* Tue Nov 09 2021 Zdenek Pytela - 3.14.3-83 +- VQP: Include IANA-assigned TCP/1589 +Resolves: rhbz#1924038 +- Label port 3785/udp with bfd_echo +Resolves: rhbz#1924038 +- Allow sysadm_t dbus chat with realmd_t +Resolves: rhbz#2000488 +- Support sanlock VG automated recovery on storage access loss 1/2 +Resolves: rhbz#1985000 +- Revert "Support sanlock VG automated recovery on storage access loss" +Resolves: rhbz#1985000 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- radius: Lexical sort of service-specific corenet rules by service name +Resolves: rhbz#1924038 +- radius: Allow binding to the BDF Control and Echo ports +Resolves: rhbz#1924038 +- radius: Allow binding to the DHCP client port +Resolves: rhbz#1924038 +- radius: Allow net_raw; allow binding to the DHCP server ports +Resolves: rhbz#1924038 +- Support hitless reloads feature in haproxy +Resolves: rhbz#2015423 +- Allow redis get attributes of filesystems with extended attributes +Resolves: rhbz#2015435 +- Support sanlock VG automated recovery on storage access loss 2/2 +Resolves: rhbz#1985000 +- Revert "Support sanlock VG automated recovery on storage access loss" +Resolves: rhbz#1985000 + +* Wed Oct 20 2021 Zdenek Pytela - 3.14.3-82 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- Allow proper function sosreport in sysadmin role +Resolves: rhbz#1965251 +- Allow systemd execute user bin files +Resolves: rhbz#1860443 +- Label /dev/crypto/nx-gzip with accelerator_device_t +Resolves: rhbz#2011166 +- Allow ipsec_t and login_userdomain named file transition in tmpfs +Resolves: rhbz#2001599 +- Support sanlock VG automated recovery on storage access loss +Resolves: rhbz#1985000 +- Allow proper function sosreport via iotop +Resolves: rhbz#1965251 +- Call pkcs_tmpfs_named_filetrans for certmonger +Resolves: rhbz#2001599 +- Allow ibacm the net_raw and sys_rawio capabilities +Resolves: rhbz#2010644 +- Support new PING_CHECK health checker in keepalived +Resolves: rhbz#2010873 +- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script +Resolves: rhbz#2011239 + +* Mon Oct 04 2021 Zdenek Pytela - 3.14.3-81 - Allow unconfined domains to bpf all other domains -Resolves: rhbz#2015846 +Resolves: rhbz#1991443 +- Allow vmtools_unconfined_t domain transition to rpm_script_t +Resolves: rhbz#1872245 +- Allow unbound connectto unix_stream_socket +Resolves: rhbz#1905441 +- Label /usr/sbin/virtproxyd as virtd_exec_t +Resolves: rhbz#1854332 +- Allow postfix_domain to sendto unix dgram sockets. +Resolves: rhbz#1920521 * Thu Sep 16 2021 Zdenek Pytela - 3.14.3-80 - Allow rhsmcertd_t dbus chat with anaconda install_t -Resolves: rhbz#2002666 +Resolves: rhbz#2004990 * Fri Aug 27 2021 Zdenek Pytela - 3.14.3-79 - Introduce xdm_manage_bootloader booelan