From 2c272bbe31a1b34535f131e3c76b0aa6c6f77cdf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:37:22 -0400 Subject: [PATCH] import selinux-policy-3.14.3-67.el8 --- .gitignore | 4 +- .selinux-policy.metadata | 6 +- SOURCES/modules-targeted-contrib.conf | 7 - SPECS/selinux-policy.spec | 203 +++++++++++++++++++++++--- 4 files changed, 187 insertions(+), 33 deletions(-) diff --git a/.gitignore b/.gitignore index ce026e8..2c81044 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-contrib-fd10e7c.tar.gz -SOURCES/selinux-policy-eaa2960.tar.gz +SOURCES/selinux-policy-55f4df9.tar.gz +SOURCES/selinux-policy-contrib-5a34aed.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 6de6386..30ba56b 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -025f60a118360c251f237d922f92d8e5a17120a3 SOURCES/container-selinux.tgz -b3cd1635dfa8d9c1e2a207cad5df4682771d85b6 SOURCES/selinux-policy-contrib-fd10e7c.tar.gz -24cc6b18059a8e65f1303cde33482e8b18a3bdcf SOURCES/selinux-policy-eaa2960.tar.gz +7ceb35aad9e24fb10f07a43f2df6b5c4bfd1cd96 SOURCES/container-selinux.tgz +c10a1f894f9a2b1eb2159c2c753d97a5ff788887 SOURCES/selinux-policy-55f4df9.tar.gz +00ac11cfcd23af70f64c6e2b80cd729e1b86036b SOURCES/selinux-policy-contrib-5a34aed.tar.gz diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 02c9839..7c6c66d 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2388,13 +2388,6 @@ minissdpd = module # freeipmi = module -# Layer: contrib -# Module: freeipmi -# -# ipa policy module contain SELinux policies for IPA services -# -ipa = module - # Layer: contrib # Module: mirrormanager # diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 59765e7..77b2574 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 eaa29602dcc6089f7f8e49eca9ee612146e20771 +%global commit0 55f4df96a3aff2ed1791e428385e1967856eed49 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 fd10e7cb92ddfd82248e1c8f5f68eadfbd74b4f7 +%global commit1 5a34aedf6563624d8543cbc708ba2a29be508872 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 54%{?dist}.4 +Release: 67%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -254,12 +254,12 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ -%{_sharedstatedir}/selinux/%1/active/commit_num \ -%{_sharedstatedir}/selinux/%1/active/users_extra \ -%{_sharedstatedir}/selinux/%1/active/homedir_template \ -%{_sharedstatedir}/selinux/%1/active/seusers \ -%{_sharedstatedir}/selinux/%1/active/file_contexts \ -%{_sharedstatedir}/selinux/%1/active/policy.kern \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ @@ -715,23 +715,184 @@ exit 0 %endif %changelog -* Fri Apr 23 2021 Zdenek Pytela - 3.14.3-54.4 -- Allow init dbus chat with kernel -Resolves: rhbz#1947170 - -* Mon Mar 15 2021 Zdenek Pytela - 3.14.3-54.3 +* Mon Mar 15 2021 Zdenek Pytela - 3.14.3-67 - Allow systemd the audit_control capability conditionally -Resolves: rhbz#1938216 +Resolves: rhbz#1861771 -* Mon Dec 7 19:32:27 CET 2020 Zdenek Pytela - 3.14.3-54.2 +* Thu Mar 04 2021 Zdenek Pytela - 3.14.3-66 +- Disallow user_t run su/sudo and staff_t run su +Resolves: rhbz#1907517 + +* Mon Feb 22 2021 Zdenek Pytela - 3.14.3-65 +- Relabel /usr/sbin/charon-systemd as ipsec_exec_t +Resolves: rhbz#1889542 + +* Wed Feb 17 2021 Zdenek Pytela - 3.14.3-64 +- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context +Resolves: rhbz#1874527 +Resolves: rhbz#1877044 +- Allow rhsmcertd bind tcp sockets to a generic node +Resolves: rhbz#1923985 +- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files +Resolves: rhbz#1889542 +- Allow strongswan start using swanctl method +Resolves: rhbz#1889542 +- Allow systemd-importd manage machines.lock file +Resolves: rhbz#1788055 + +* Thu Feb 11 2021 Zdenek Pytela - 3.14.3-63 +- Allow rtkit_daemon_t domain set process nice value in user namespaces +Resolves: rhbz#1910507 +- Allow gpsd read and write ptp4l_t shared memory. +Resolves: rhbz#1803845 +- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type +Resolves: rhbz#1804626 +- Allow Certmonger to use opencryptoki services +Resolves: rhbz#1894132 +- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm +Resolves: rhbz#1815603 +- Allow rhsmcertd_t read kpatch lib files +Resolves: rhbz#1895322 +- Allow ipsec_t connectto ipsec_mgmt_t +Resolves: rhbz#1848355 +- Allow IPsec to use opencryptoki services +Resolves: rhbz#1894132 +- Allow systemd-importd create /run/systemd/machines.lock file +Resolves: rhbz#1788055 + +* Fri Jan 29 2021 Zdenek Pytela - 3.14.3-62 +- Allow rhsmcertd_t domain transition to kpatch_t +Resolves: rhbz#1895322 +- Revert "Add kpatch_exec() interface" +Resolves: rhbz#1895322 +- Revert "Allow rhsmcertd execute kpatch" +Resolves: rhbz#1895322 +- Dontaudit NetworkManager_t domain to write to kdump temp pipies +Resolves: rhbz#1842897 +- Allow NetworkManager_t domain to get status of samba services +Resolves: rhbz#1781806 +- Allow openvswitch create and use xfrm netlink sockets +Resolves: rhbz#1916046 +- Allow openvswitch_t perf_event write permission +Resolves: rhbz#1916046 +- Add write_perf_event_perms object permission set +Related: rhbz#1916046 + +* Wed Jan 27 2021 Zdenek Pytela - 3.14.3-61 +- Add kpatch_exec() interface +Resolves: rhbz#1895322 +- Allow rhsmcertd execute kpatch +Resolves: rhbz#1895322 +- Allow openvswitch_t perf_event open permission +Resolves: rhbz#1916046 +- Allow openvswitch fowner capability and create netlink sockets +Resolves: rhbz#1883980 +- Add net_broadcast capability to openvswitch_t domain +Resolves: rhbz#1883980 +- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files +Resolves: rhbz#1883980 +- Allow machinectl to run pull-tar +Resolves: rhbz#1788055 + +* Wed Jan 13 2021 Zdenek Pytela - 3.14.3-60 +- Allow wireshark create and use rdma socket +Resolves: rhbz#1844370 +- Allow to use nnp_transition in pulseaudio_role +Resolves: rhbz#1854471 +- Allow certmonger fsetid capability +Resolves: rhbz#1873211 +- Add rsync_sys_admin tunable to allow rsync sys_admin capability +Resolves: rhbz#1889673 +- Allow sysadm read and write /dev/rfkill +Resolves: rhbz#1831630 +- Allow staff_u run pam_console_apply +Resolves: rhbz#1817690 +- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t +Resolves: rhbz#1907485 + +* Thu Dec 17 2020 Zdenek Pytela - 3.14.3-59 +- Add cron_dbus_chat_system_job() interface +Resolves: rhbz#1883906 +- Dontaudit firewalld dac_override capability +Resolves: rhbz#1759010 +- Allow tcsd the setgid capability +Resolves: rhbz#1898694 +- Allow timedatex dbus chat with cron system domain +Resolves: rhbz#1883906 +- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain +Resolves: rhbz#1854299 +- Allow pcp-pmcd manage perf_events +Resolves: rhbz#1901958 +- Label /dev/isst_interface as cpu_device_t +Resolves: rhbz#1902227 +- Allow ipsec set the context of a SPD entry to the default context +Resolves: rhbz#1880474 +- Allow sysadm_u user and unconfined_domain_type manage perf_events +Resolves: rhbz#1901958 +- Add manage_perf_event_perms object permissions set +Resolves: rhbz#1901958 +- Add perf_event access vectors. +Resolves: rhbz#1901958 +- Remove "ipa = module" from modules-targeted-contrib.conf +Resolves: rhbz#1461914 + +* Thu Dec 3 2020 Zdenek Pytela - 3.14.3-58 +- Allow kexec manage generic tmp files +Resolves: rhbz#1896424 - Update systemd-sleep policy -Resolves: rhbz#1890884 +Resolves: rhbz#1850177 +- Add groupadd_t fowner capability +Resolves: rhbz#1884179 -* Tue Oct 27 2020 Zdenek Pytela - 3.14.3-54.1 -- Add fstools_rw_swap_files() interface -Resolves: rhbz#1890884 +* Tue Nov 24 2020 Zdenek Pytela - 3.14.3-57 +- Allow dovecot bind to smtp ports +Resolves: rhbz#1881884 +- Change fetchmail temporary files path to /var/spool/mail +Resolves: rhbz#1853389 +- Set file context for symlinks in /etc/httpd to etc_t +Resolves: rhbz#1900650 +- Allow dnsmasq read public files +Resolves: rhbz#1782539 +- Fix range for unreserved ports +Resolves: rhbz#1794531 +- Introduce logging_syslogd_append_public_content tunable +Resolves: rhbz#1823672 +- Add files_search_non_security_dirs() interface +Resolves: rhbz#1823672 +- Add miscfiles_append_public_files() interface +Resolves: rhbz#1823672 + +* Thu Nov 12 2020 Zdenek Pytela - 3.14.3-56 +- Let keepalived bind a raw socket +Resolves: rhbz#1895130 +- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid +Resolves: rhbz#1853389 +- Allow arpwatch create and use rdma socket +Resolves: rhbz#1843409 +- Set correct default file context for /usr/libexec/pcp/lib/* +Resolves: rhbz#1886369 +- Allow systemd-logind manage efivarfs files +Resolves: rhbz#1869979 +- Allow systemd_resolved_t to read efivarfs +Resolves: rhbz#1869979 +- Allow systemd_modules_load_t to read efivarfs +Resolves: rhbz#1869979 +- Allow read efivarfs_t files by domains executing systemctl file +Resolves: rhbz#1869979 +- Introduce systemd_read_efivarfs_type attribute +Resolves: rhbz#1869979 + +* Mon Oct 26 2020 Zdenek Pytela - 3.14.3-55 +- Allow init dbus chat with kernel +Resolves: rhbz#1694681 - Confine systemd-sleep service -Resolves: rhbz#1890884 +Resolves: rhbz#1850177 +- Add default file context for /usr/libexec/pcp/lib/* +Resolves: rhbz#1886369 +- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability +Resolves: rhbz#1873658 +- Add fstools_rw_swap_files() interface +Resolves: rhbz#1850177 * Thu Sep 17 2020 Zdenek Pytela - 3.14.3-54 - Allow plymouth sys_chroot capability