import selinux-policy-3.14.3-67.el8
This commit is contained in:
CentOS Sources
parent
3a97f77985
commit
2c272bbe31
|
|
@ -1,3 +1,3 @@
|
|||
SOURCES/container-selinux.tgz
|
||||
SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
|
||||
SOURCES/selinux-policy-eaa2960.tar.gz
|
||||
SOURCES/selinux-policy-55f4df9.tar.gz
|
||||
SOURCES/selinux-policy-contrib-5a34aed.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
025f60a118360c251f237d922f92d8e5a17120a3 SOURCES/container-selinux.tgz
|
||||
b3cd1635dfa8d9c1e2a207cad5df4682771d85b6 SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
|
||||
24cc6b18059a8e65f1303cde33482e8b18a3bdcf SOURCES/selinux-policy-eaa2960.tar.gz
|
||||
7ceb35aad9e24fb10f07a43f2df6b5c4bfd1cd96 SOURCES/container-selinux.tgz
|
||||
c10a1f894f9a2b1eb2159c2c753d97a5ff788887 SOURCES/selinux-policy-55f4df9.tar.gz
|
||||
00ac11cfcd23af70f64c6e2b80cd729e1b86036b SOURCES/selinux-policy-contrib-5a34aed.tar.gz
|
||||
|
|
|
|||
|
|
@ -2388,13 +2388,6 @@ minissdpd = module
|
|||
#
|
||||
freeipmi = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: freeipmi
|
||||
#
|
||||
# ipa policy module contain SELinux policies for IPA services
|
||||
#
|
||||
ipa = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: mirrormanager
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
# github repo with selinux-policy base sources
|
||||
%global git0 https://github.com/fedora-selinux/selinux-policy
|
||||
%global commit0 eaa29602dcc6089f7f8e49eca9ee612146e20771
|
||||
%global commit0 55f4df96a3aff2ed1791e428385e1967856eed49
|
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
# github repo with selinux-policy contrib sources
|
||||
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
||||
%global commit1 fd10e7cb92ddfd82248e1c8f5f68eadfbd74b4f7
|
||||
%global commit1 5a34aedf6563624d8543cbc708ba2a29be508872
|
||||
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
||||
|
||||
%define distro redhat
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.14.3
|
||||
Release: 54%{?dist}.4
|
||||
Release: 67%{?dist}
|
||||
License: GPLv2+
|
||||
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
||||
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
||||
|
|
@ -254,12 +254,12 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
|
||||
%{_sharedstatedir}/selinux/%1/active/commit_num \
|
||||
%{_sharedstatedir}/selinux/%1/active/users_extra \
|
||||
%{_sharedstatedir}/selinux/%1/active/homedir_template \
|
||||
%{_sharedstatedir}/selinux/%1/active/seusers \
|
||||
%{_sharedstatedir}/selinux/%1/active/file_contexts \
|
||||
%{_sharedstatedir}/selinux/%1/active/policy.kern \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
||||
|
|
@ -715,23 +715,184 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.4
|
||||
- Allow init dbus chat with kernel
|
||||
Resolves: rhbz#1947170
|
||||
|
||||
* Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.3
|
||||
* Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67
|
||||
- Allow systemd the audit_control capability conditionally
|
||||
Resolves: rhbz#1938216
|
||||
Resolves: rhbz#1861771
|
||||
|
||||
* Mon Dec 7 19:32:27 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.2
|
||||
* Thu Mar 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-66
|
||||
- Disallow user_t run su/sudo and staff_t run su
|
||||
Resolves: rhbz#1907517
|
||||
|
||||
* Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65
|
||||
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
|
||||
Resolves: rhbz#1889542
|
||||
|
||||
* Wed Feb 17 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-64
|
||||
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
|
||||
Resolves: rhbz#1874527
|
||||
Resolves: rhbz#1877044
|
||||
- Allow rhsmcertd bind tcp sockets to a generic node
|
||||
Resolves: rhbz#1923985
|
||||
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
|
||||
Resolves: rhbz#1889542
|
||||
- Allow strongswan start using swanctl method
|
||||
Resolves: rhbz#1889542
|
||||
- Allow systemd-importd manage machines.lock file
|
||||
Resolves: rhbz#1788055
|
||||
|
||||
* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-63
|
||||
- Allow rtkit_daemon_t domain set process nice value in user namespaces
|
||||
Resolves: rhbz#1910507
|
||||
- Allow gpsd read and write ptp4l_t shared memory.
|
||||
Resolves: rhbz#1803845
|
||||
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
|
||||
Resolves: rhbz#1804626
|
||||
- Allow Certmonger to use opencryptoki services
|
||||
Resolves: rhbz#1894132
|
||||
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
|
||||
Resolves: rhbz#1815603
|
||||
- Allow rhsmcertd_t read kpatch lib files
|
||||
Resolves: rhbz#1895322
|
||||
- Allow ipsec_t connectto ipsec_mgmt_t
|
||||
Resolves: rhbz#1848355
|
||||
- Allow IPsec to use opencryptoki services
|
||||
Resolves: rhbz#1894132
|
||||
- Allow systemd-importd create /run/systemd/machines.lock file
|
||||
Resolves: rhbz#1788055
|
||||
|
||||
* Fri Jan 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-62
|
||||
- Allow rhsmcertd_t domain transition to kpatch_t
|
||||
Resolves: rhbz#1895322
|
||||
- Revert "Add kpatch_exec() interface"
|
||||
Resolves: rhbz#1895322
|
||||
- Revert "Allow rhsmcertd execute kpatch"
|
||||
Resolves: rhbz#1895322
|
||||
- Dontaudit NetworkManager_t domain to write to kdump temp pipies
|
||||
Resolves: rhbz#1842897
|
||||
- Allow NetworkManager_t domain to get status of samba services
|
||||
Resolves: rhbz#1781806
|
||||
- Allow openvswitch create and use xfrm netlink sockets
|
||||
Resolves: rhbz#1916046
|
||||
- Allow openvswitch_t perf_event write permission
|
||||
Resolves: rhbz#1916046
|
||||
- Add write_perf_event_perms object permission set
|
||||
Related: rhbz#1916046
|
||||
|
||||
* Wed Jan 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-61
|
||||
- Add kpatch_exec() interface
|
||||
Resolves: rhbz#1895322
|
||||
- Allow rhsmcertd execute kpatch
|
||||
Resolves: rhbz#1895322
|
||||
- Allow openvswitch_t perf_event open permission
|
||||
Resolves: rhbz#1916046
|
||||
- Allow openvswitch fowner capability and create netlink sockets
|
||||
Resolves: rhbz#1883980
|
||||
- Add net_broadcast capability to openvswitch_t domain
|
||||
Resolves: rhbz#1883980
|
||||
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files
|
||||
Resolves: rhbz#1883980
|
||||
- Allow machinectl to run pull-tar
|
||||
Resolves: rhbz#1788055
|
||||
|
||||
* Wed Jan 13 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-60
|
||||
- Allow wireshark create and use rdma socket
|
||||
Resolves: rhbz#1844370
|
||||
- Allow to use nnp_transition in pulseaudio_role
|
||||
Resolves: rhbz#1854471
|
||||
- Allow certmonger fsetid capability
|
||||
Resolves: rhbz#1873211
|
||||
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
|
||||
Resolves: rhbz#1889673
|
||||
- Allow sysadm read and write /dev/rfkill
|
||||
Resolves: rhbz#1831630
|
||||
- Allow staff_u run pam_console_apply
|
||||
Resolves: rhbz#1817690
|
||||
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
|
||||
Resolves: rhbz#1907485
|
||||
|
||||
* Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-59
|
||||
- Add cron_dbus_chat_system_job() interface
|
||||
Resolves: rhbz#1883906
|
||||
- Dontaudit firewalld dac_override capability
|
||||
Resolves: rhbz#1759010
|
||||
- Allow tcsd the setgid capability
|
||||
Resolves: rhbz#1898694
|
||||
- Allow timedatex dbus chat with cron system domain
|
||||
Resolves: rhbz#1883906
|
||||
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
|
||||
Resolves: rhbz#1854299
|
||||
- Allow pcp-pmcd manage perf_events
|
||||
Resolves: rhbz#1901958
|
||||
- Label /dev/isst_interface as cpu_device_t
|
||||
Resolves: rhbz#1902227
|
||||
- Allow ipsec set the context of a SPD entry to the default context
|
||||
Resolves: rhbz#1880474
|
||||
- Allow sysadm_u user and unconfined_domain_type manage perf_events
|
||||
Resolves: rhbz#1901958
|
||||
- Add manage_perf_event_perms object permissions set
|
||||
Resolves: rhbz#1901958
|
||||
- Add perf_event access vectors.
|
||||
Resolves: rhbz#1901958
|
||||
- Remove "ipa = module" from modules-targeted-contrib.conf
|
||||
Resolves: rhbz#1461914
|
||||
|
||||
* Thu Dec 3 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-58
|
||||
- Allow kexec manage generic tmp files
|
||||
Resolves: rhbz#1896424
|
||||
- Update systemd-sleep policy
|
||||
Resolves: rhbz#1890884
|
||||
Resolves: rhbz#1850177
|
||||
- Add groupadd_t fowner capability
|
||||
Resolves: rhbz#1884179
|
||||
|
||||
* Tue Oct 27 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54.1
|
||||
- Add fstools_rw_swap_files() interface
|
||||
Resolves: rhbz#1890884
|
||||
* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-57
|
||||
- Allow dovecot bind to smtp ports
|
||||
Resolves: rhbz#1881884
|
||||
- Change fetchmail temporary files path to /var/spool/mail
|
||||
Resolves: rhbz#1853389
|
||||
- Set file context for symlinks in /etc/httpd to etc_t
|
||||
Resolves: rhbz#1900650
|
||||
- Allow dnsmasq read public files
|
||||
Resolves: rhbz#1782539
|
||||
- Fix range for unreserved ports
|
||||
Resolves: rhbz#1794531
|
||||
- Introduce logging_syslogd_append_public_content tunable
|
||||
Resolves: rhbz#1823672
|
||||
- Add files_search_non_security_dirs() interface
|
||||
Resolves: rhbz#1823672
|
||||
- Add miscfiles_append_public_files() interface
|
||||
Resolves: rhbz#1823672
|
||||
|
||||
* Thu Nov 12 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-56
|
||||
- Let keepalived bind a raw socket
|
||||
Resolves: rhbz#1895130
|
||||
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
|
||||
Resolves: rhbz#1853389
|
||||
- Allow arpwatch create and use rdma socket
|
||||
Resolves: rhbz#1843409
|
||||
- Set correct default file context for /usr/libexec/pcp/lib/*
|
||||
Resolves: rhbz#1886369
|
||||
- Allow systemd-logind manage efivarfs files
|
||||
Resolves: rhbz#1869979
|
||||
- Allow systemd_resolved_t to read efivarfs
|
||||
Resolves: rhbz#1869979
|
||||
- Allow systemd_modules_load_t to read efivarfs
|
||||
Resolves: rhbz#1869979
|
||||
- Allow read efivarfs_t files by domains executing systemctl file
|
||||
Resolves: rhbz#1869979
|
||||
- Introduce systemd_read_efivarfs_type attribute
|
||||
Resolves: rhbz#1869979
|
||||
|
||||
* Mon Oct 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-55
|
||||
- Allow init dbus chat with kernel
|
||||
Resolves: rhbz#1694681
|
||||
- Confine systemd-sleep service
|
||||
Resolves: rhbz#1890884
|
||||
Resolves: rhbz#1850177
|
||||
- Add default file context for /usr/libexec/pcp/lib/*
|
||||
Resolves: rhbz#1886369
|
||||
- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability
|
||||
Resolves: rhbz#1873658
|
||||
- Add fstools_rw_swap_files() interface
|
||||
Resolves: rhbz#1850177
|
||||
|
||||
* Thu Sep 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54
|
||||
- Allow plymouth sys_chroot capability
|
||||
|
|
|
|||
Loading…
Reference in New Issue