import selinux-policy-3.14.3-67.el8

2021-05-18 02:37:22 -04:00 · 2021-05-18 02:37:22 -04:00 · 2c272bbe31
commit 2c272bbe31
parent 3a97f77985
4 changed files with 187 additions and 33 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
-SOURCES/selinux-policy-eaa2960.tar.gz
+SOURCES/selinux-policy-55f4df9.tar.gz
+SOURCES/selinux-policy-contrib-5a34aed.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-025f60a118360c251f237d922f92d8e5a17120a3 SOURCES/container-selinux.tgz
-b3cd1635dfa8d9c1e2a207cad5df4682771d85b6 SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
-24cc6b18059a8e65f1303cde33482e8b18a3bdcf SOURCES/selinux-policy-eaa2960.tar.gz
+7ceb35aad9e24fb10f07a43f2df6b5c4bfd1cd96 SOURCES/container-selinux.tgz
+c10a1f894f9a2b1eb2159c2c753d97a5ff788887 SOURCES/selinux-policy-55f4df9.tar.gz
+00ac11cfcd23af70f64c6e2b80cd729e1b86036b SOURCES/selinux-policy-contrib-5a34aed.tar.gz
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -2388,13 +2388,6 @@ minissdpd = module
 #
 freeipmi = module

-# Layer: contrib
-# Module: freeipmi
-# 
-# ipa policy module contain SELinux policies for IPA services
-#
-ipa = module
-
 # Layer: contrib
 # Module: mirrormanager
 # 
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 eaa29602dcc6089f7f8e49eca9ee612146e20771
+%global commit0 55f4df96a3aff2ed1791e428385e1967856eed49
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 fd10e7cb92ddfd82248e1c8f5f68eadfbd74b4f7
+%global commit1 5a34aedf6563624d8543cbc708ba2a29be508872
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 54%{?dist}.4
+Release: 67%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -254,12 +254,12 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
-%{_sharedstatedir}/selinux/%1/active/commit_num \
-%{_sharedstatedir}/selinux/%1/active/users_extra \
-%{_sharedstatedir}/selinux/%1/active/homedir_template \
-%{_sharedstatedir}/selinux/%1/active/seusers \
-%{_sharedstatedir}/selinux/%1/active/file_contexts \
-%{_sharedstatedir}/selinux/%1/active/policy.kern \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
@ -715,23 +715,184 @@ exit 0
 %endif

 %changelog
-* Fri Apr 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.4
- Allow init dbus chat with kernel
-Resolves: rhbz#1947170
-
-* Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.3
+* Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67
 - Allow systemd the audit_control capability conditionally
-Resolves: rhbz#1938216
+Resolves: rhbz#1861771

-* Mon Dec  7 19:32:27 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.2
+* Thu Mar 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-66
+- Disallow user_t run su/sudo and staff_t run su
+Resolves: rhbz#1907517
+
+* Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65
+- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
+Resolves: rhbz#1889542
+
+* Wed Feb 17 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-64
+- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
+Resolves: rhbz#1874527
+Resolves: rhbz#1877044
+- Allow rhsmcertd bind tcp sockets to a generic node
+Resolves: rhbz#1923985
+- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
+Resolves: rhbz#1889542
+- Allow strongswan start using swanctl method
+Resolves: rhbz#1889542
+- Allow systemd-importd manage machines.lock file
+Resolves: rhbz#1788055
+
+* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-63
+- Allow rtkit_daemon_t domain set process nice value in user namespaces
+Resolves: rhbz#1910507
+- Allow gpsd read and write ptp4l_t shared memory.
+Resolves: rhbz#1803845
+- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
+Resolves: rhbz#1804626
+- Allow Certmonger to use opencryptoki services
+Resolves: rhbz#1894132
+- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
+Resolves: rhbz#1815603
+- Allow rhsmcertd_t read kpatch lib files
+Resolves: rhbz#1895322
+- Allow ipsec_t connectto ipsec_mgmt_t
+Resolves: rhbz#1848355
+- Allow IPsec to use opencryptoki services
+Resolves: rhbz#1894132
+- Allow systemd-importd create /run/systemd/machines.lock file
+Resolves: rhbz#1788055
+
+* Fri Jan 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-62
+- Allow rhsmcertd_t domain transition to kpatch_t
+Resolves: rhbz#1895322
+- Revert "Add kpatch_exec() interface"
+Resolves: rhbz#1895322
+- Revert "Allow rhsmcertd execute kpatch"
+Resolves: rhbz#1895322
+- Dontaudit NetworkManager_t domain to write to kdump temp pipies
+Resolves: rhbz#1842897
+- Allow NetworkManager_t domain to get status of samba services
+Resolves: rhbz#1781806
+- Allow openvswitch create and use xfrm netlink sockets
+Resolves: rhbz#1916046
+- Allow openvswitch_t perf_event write permission
+Resolves: rhbz#1916046
+- Add write_perf_event_perms object permission set
+Related: rhbz#1916046
+
+* Wed Jan 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-61
+- Add kpatch_exec() interface
+Resolves: rhbz#1895322
+- Allow rhsmcertd execute kpatch
+Resolves: rhbz#1895322
+- Allow openvswitch_t perf_event open permission
+Resolves: rhbz#1916046
+- Allow openvswitch fowner capability and create netlink sockets
+Resolves: rhbz#1883980
+- Add net_broadcast capability to openvswitch_t domain
+Resolves: rhbz#1883980
+- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files
+Resolves: rhbz#1883980
+- Allow machinectl to run pull-tar
+Resolves: rhbz#1788055
+
+* Wed Jan 13 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-60
+- Allow wireshark create and use rdma socket
+Resolves: rhbz#1844370
+- Allow to use nnp_transition in pulseaudio_role
+Resolves: rhbz#1854471
+- Allow certmonger fsetid capability
+Resolves: rhbz#1873211
+- Add rsync_sys_admin tunable to allow rsync sys_admin capability
+Resolves: rhbz#1889673
+- Allow sysadm read and write /dev/rfkill
+Resolves: rhbz#1831630
+- Allow staff_u run pam_console_apply
+Resolves: rhbz#1817690
+- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
+Resolves: rhbz#1907485
+
+* Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-59
+- Add cron_dbus_chat_system_job() interface
+Resolves: rhbz#1883906
+- Dontaudit firewalld dac_override capability
+Resolves: rhbz#1759010
+- Allow tcsd the setgid capability
+Resolves: rhbz#1898694
+- Allow timedatex dbus chat with cron system domain
+Resolves: rhbz#1883906
+- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
+Resolves: rhbz#1854299
+- Allow pcp-pmcd manage perf_events
+Resolves: rhbz#1901958
+- Label /dev/isst_interface as cpu_device_t
+Resolves: rhbz#1902227
+- Allow ipsec set the context of a SPD entry to the default context
+Resolves: rhbz#1880474
+- Allow sysadm_u user and unconfined_domain_type manage perf_events
+Resolves: rhbz#1901958
+- Add manage_perf_event_perms object permissions set
+Resolves: rhbz#1901958
+- Add perf_event access vectors.
+Resolves: rhbz#1901958
+- Remove "ipa = module" from modules-targeted-contrib.conf
+Resolves: rhbz#1461914
+
+* Thu Dec  3 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-58
+- Allow kexec manage generic tmp files
+Resolves: rhbz#1896424
 - Update systemd-sleep policy
-Resolves: rhbz#1890884
+Resolves: rhbz#1850177
+- Add groupadd_t fowner capability
+Resolves: rhbz#1884179

-* Tue Oct 27 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.1
- Add fstools_rw_swap_files() interface
-Resolves: rhbz#1890884
+* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-57
+- Allow dovecot bind to smtp ports
+Resolves: rhbz#1881884
+- Change fetchmail temporary files path to /var/spool/mail
+Resolves: rhbz#1853389
+- Set file context for symlinks in /etc/httpd to etc_t
+Resolves: rhbz#1900650
+- Allow dnsmasq read public files
+Resolves: rhbz#1782539
+- Fix range for unreserved ports
+Resolves: rhbz#1794531
+- Introduce logging_syslogd_append_public_content tunable
+Resolves: rhbz#1823672
+- Add files_search_non_security_dirs() interface
+Resolves: rhbz#1823672
+- Add miscfiles_append_public_files() interface
+Resolves: rhbz#1823672
+
+* Thu Nov 12 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-56
+- Let keepalived bind a raw socket
+Resolves: rhbz#1895130
+- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
+Resolves: rhbz#1853389
+- Allow arpwatch create and use rdma socket
+Resolves: rhbz#1843409
+- Set correct default file context for /usr/libexec/pcp/lib/*
+Resolves: rhbz#1886369
+- Allow systemd-logind manage efivarfs files
+Resolves: rhbz#1869979
+- Allow systemd_resolved_t to read efivarfs
+Resolves: rhbz#1869979
+- Allow systemd_modules_load_t to read efivarfs
+Resolves: rhbz#1869979
+- Allow read efivarfs_t files by domains executing systemctl file
+Resolves: rhbz#1869979
+- Introduce systemd_read_efivarfs_type attribute
+Resolves: rhbz#1869979
+
+* Mon Oct 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-55
+- Allow init dbus chat with kernel
+Resolves: rhbz#1694681
 - Confine systemd-sleep service
-Resolves: rhbz#1890884
+Resolves: rhbz#1850177
+- Add default file context for /usr/libexec/pcp/lib/*
+Resolves: rhbz#1886369
+- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability
+Resolves: rhbz#1873658
+- Add fstools_rw_swap_files() interface
+Resolves: rhbz#1850177

 * Thu Sep 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54
 - Allow plymouth sys_chroot capability