From 2caa19eb77362734854fb8f1044cd85bfe8b43b1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 01:54:46 -0500 Subject: [PATCH] import selinux-policy-3.14.3-108.el8 --- .gitignore | 4 +- .selinux-policy.metadata | 6 +- SPECS/selinux-policy.spec | 303 +++++++++++++++++++++++++++++--------- 3 files changed, 236 insertions(+), 77 deletions(-) diff --git a/.gitignore b/.gitignore index 1ec9e6a..cb4bd4f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-31a9744.tar.gz -SOURCES/selinux-policy-contrib-f659db9.tar.gz +SOURCES/selinux-policy-76d3f46.tar.gz +SOURCES/selinux-policy-contrib-f71a764.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 6cbe2d1..8b25f61 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -7e8924346f497afc19e9e727b431673b7a9d68a9 SOURCES/container-selinux.tgz -029927e86dab9c8acfb0f9ee90b7727537c7657b SOURCES/selinux-policy-31a9744.tar.gz -138acf482a7c4c350809c7b31c79294281be49db SOURCES/selinux-policy-contrib-f659db9.tar.gz +630fb93dc3f0c54c9bac3e9e29742b235e3d3226 SOURCES/container-selinux.tgz +868d9fd6e2fed0794a9a7b698586a5419d97cb7e SOURCES/selinux-policy-76d3f46.tar.gz +fe5e8136583726cb626ba6eacc7c148df57926a7 SOURCES/selinux-policy-contrib-f71a764.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 9e69a17..8f5bb4e 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 31a9744d4abf9817c82d29dd791b0439bd632852 +%global commit0 76d3f46c6576aa301aef3702c1c30739f506691f %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 f659db9cce300873aabec1a11fcc39d69e043267 +%global commit1 f71a76424ebaf8e8af3896bc758cfe10b9102892 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 95%{?dist}.4 +Release: 108%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -148,7 +148,7 @@ SELinux policy development and man page package %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* -%ghost %{_sharedstatedir}/sepolgen/interface_info +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info %post devel selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null @@ -717,92 +717,251 @@ exit 0 %endif %changelog -* Mon Aug 22 2022 Zdenek Pytela - 3.14.3-95.4 -- rebuild -Resolves: rhbz#2103606 +* Thu Sep 08 2022 Zdenek Pytela - 3.14.3-108 +- Allow unconfined_service_t insights client content filetrans +Resolves: rhbz#2119507 +- Allow nsswitch_domain to connect to systemd-machined using a unix socket +Resolves: rhbz#2119507 +- Add init_status_all_script_files() interface +Resolves: rhbz#2119507 +- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 5 +Resolves: rhbz#2119507 +- Confine insights-client systemd unit +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 4 +Resolves: rhbz#2119507 +- Change rhsmcertd_t to insights_client_t in insights-client policy +Resolves: rhbz#2119507 +- Allow insights-client send signull to unconfined_service_t +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 3 +Resolves: rhbz#2119507 +- Allow journalctl read init state +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution 2 +Resolves: rhbz#2119507 -* Thu Aug 04 2022 Zdenek Pytela - 3.14.3-95.3 +* Thu Aug 25 2022 Zdenek Pytela - 3.14.3-107 +- Label 319/udp port with ptp_event_port_t +Resolves: rhbz#2118628 +- Allow unconfined and sysadm users transition for /root/.gnupg +Resolves: rhbz#2119507 +- Add the kernel_read_proc_files() interface +Resolves: rhbz#2119507 +- Add userdom_view_all_users_keys() interface +Resolves: rhbz#2119507 +- Allow system_cronjob_t domtrans to rpm_script_t +Resolves: rhbz#2118362 +- Allow smbd_t process noatsecure permission for winbind_rpcd_t +Resolves: rhbz#2117199 +- Allow chronyd bind UDP sockets to ptp_event ports +Resolves: rhbz#2118628 +- Allow samba-bgqd to read a printer list +Resolves: rhbz#2118958 +- Add gpg_filetrans_admin_home_content() interface +Resolves: rhbz#2119507 +- Update insights-client policy for additional commands execution +Resolves: rhbz#2119507 +- Allow gpg read and write generic pty type +Resolves: rhbz#2119507 +- Allow chronyc read and write generic pty type +Resolves: rhbz#2119507 +- Disable rpm verification on interface_info +Resolves: rhbz#2119472 + +* Wed Aug 10 2022 Zdenek Pytela - 3.14.3-106 +- Allow networkmanager to signal unconfined process +Resolves: rhbz#1918148 +- Allow sa-update to get init status and start systemd files +Resolves: rhbz#2011239 +- Allow samba-bgqd get a printer list +Resolves: rhbz#2114737 - Allow insights-client rpm named file transitions -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 - Add /var/tmp/insights-archive to insights_client_filetrans_named_content -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 - Use insights_client_filetrans_named_content -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 - Make default file context match with named transitions -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 - Allow rhsmcertd to read insights config files -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 - Label /etc/insights-client/machine-id -Resolves: rhbz#2103606 +Resolves: rhbz#2104913 -* Tue Jul 12 2022 Zdenek Pytela - 3.14.3-95.2 -- Add the init_status_config_transient_files() interface -Resolves: rhbz#2103606 -- Allow transition to insights_client named content -Resolves: rhbz#2103606 -- Allow init_t to rw insights_client unnamed pipe -Resolves: rhbz#2103606 -- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling -Resolves: rhbz#2103606 -- Add the gpg_manage_admin_home_content() interface -Resolves: rhbz#2103606 +* Fri Jul 29 2022 Zdenek Pytela - 3.14.3-105 +- Do not call systemd_userdbd_stream_connect() for winbind-rpcd +Resolves: rhbz#2108383 +- Update winbind_rpcd_t +Resolves: rhbz#2108383 +- Allow irqbalance file transition for pid sock_files and directories +Resolves: rhbz#2111916 +- Update irqbalance runtime directory file context +Resolves: rhbz#2111916 + +* Tue Jun 28 2022 Zdenek Pytela - 3.14.3-104 +- Update samba-dcerpcd policy for kerberos usage 2 +Resolves: rhbz#2096825 + +* Mon Jun 27 2022 Zdenek Pytela - 3.14.3-103 +- Allow domain read usermodehelper state information +Resolves: rhbz#2083504 +- Remove all kernel_read_usermodehelper_state() interface calls +Resolves: rhbz#2083504 +- Allow samba-dcerpcd work with sssd +Resolves: rhbz#2096825 +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +Resolves: rhbz#2096825 +- Update samba-dcerpcd policy for kerberos usage +Resolves: rhbz#2096825 +- Allow keepalived read the contents of the sysfs filesystem +Resolves: rhbz#2098189 +- Update policy for samba-dcerpcd +Resolves: rhbz#2083504 +- Remove all kernel_read_usermodehelper_state() interface calls 2/2 +Resolves: rhbz#2083504 - Update insights_client_filetrans_named_content() -Resolves: rhbz#2103606 -- Add the insights_client_filetrans_named_content() interface -Resolves: rhbz#2103606 -- Update policy for insights-client to run additional commands 3 -Resolves: rhbz#2103606 -- Allow insights-client get status of the systemd transient scripts -Resolves: rhbz#2103606 -- Allow insights-client execute its private memfd: objects -Resolves: rhbz#2103606 -- Update policy for insights-client to run additional commands 2 -Resolves: rhbz#2103606 -- Do not call systemd_userdbd_stream_connect() for insights-client -Resolves: rhbz#2103606 -- Use insights_client_tmp_t instead of insights_client_var_tmp_t -Resolves: rhbz#2103606 -- Change space indentation to tab in insights-client -Resolves: rhbz#2103606 -- Use socket permissions sets in insights-client -Resolves: rhbz#2103606 -- Update policy for insights-client to run additional commands -Resolves: rhbz#2103606 -- Change rpm_setattr_db_files() to use a pattern -Resolves: rhbz#2103606 -- Add rpm setattr db files macro -Resolves: rhbz#2103606 -- Fix insights client -Resolves: rhbz#2103606 -- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t -Resolves: rhbz#2103606 -- Allow insights-client manage gpg admin home content -Resolves: rhbz#2103606 -- Label /var/cache/insights with insights_client_cache_t -Resolves: rhbz#2103606 -- Allow insights-client search gconf homedir -Resolves: rhbz#2103606 -- Allow insights-client create and use unix_dgram_socket -Resolves: rhbz#2103606 -- Allow insights-client create_socket_perms for tcp/udp sockets -Resolves: rhbz#2103606 -- Allow insights-client read rhnsd config files -Resolves: rhbz#2103606 -- Allow insights-client search rhnsd configuration directory -Resolves: rhbz#2103606 +Resolves: rhbz#2091117 -* Thu Jun 09 2022 Zdenek Pytela - 3.14.3-95.1 +* Wed Jun 22 2022 Zdenek Pytela - 3.14.3-102 +- Allow transition to insights_client named content +Resolves: rhbz#2091117 +- Add the insights_client_filetrans_named_content() interface +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands 3 +Resolves: rhbz#2091117 + +* Fri Jun 17 2022 Zdenek Pytela - 3.14.3-101 +- Add the init_status_config_transient_files() interface +Resolves: rhbz#2091117 +- Allow init_t to rw insights_client unnamed pipe +Resolves: rhbz#2091117 +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +Resolves: rhbz#2091117 +- Allow insights-client get status of the systemd transient scripts +Resolves: rhbz#2091117 +- Allow insights-client execute its private memfd: objects +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands 2 +Resolves: rhbz#2091117 +- Do not call systemd_userdbd_stream_connect() for insights-client +Resolves: rhbz#2091117 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +Resolves: rhbz#2091117 +- Change space indentation to tab in insights-client +Resolves: rhbz#2091117 +- Use socket permissions sets in insights-client +Resolves: rhbz#2091117 +- Update policy for insights-client to run additional commands +Resolves: rhbz#2091117 +- Change rpm_setattr_db_files() to use a pattern +Resolves: rhbz#2091117 +- Add rpm setattr db files macro +Resolves: rhbz#2091117 +- Fix insights client +Resolves: rhbz#2091117 +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +Resolves: rhbz#2091117 + +* Tue Jun 07 2022 Zdenek Pytela - 3.14.3-100 +- Update logging_create_generic_logs() to use create_files_pattern() +Resolves: rhbz#2081907 +- Add the auth_read_passwd_file() interface +Resolves: rhbz#2083504 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +Resolves: rhbz#2081907 +- Add support for samba-dcerpcd +Resolves: rhbz#2083504 +- Allow rhsmcertd create generic log files +Resolves: rhbz#1852086 +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +Resolves: rhbz#2090800 + +* Mon May 23 2022 Zdenek Pytela - 3.14.3-99 +- Allow ifconfig_t domain to manage vmware logs +Resolves: rhbz#1721943 +- Allow insights-client manage gpg admin home content +Resolves: rhbz#2060834 +- Add the gpg_manage_admin_home_content() interface +Resolves: rhbz#2060834 +- Label /var/cache/insights with insights_client_cache_t +Resolves: rhbz#2063195 +- Allow insights-client search gconf homedir +Resolves: rhbz#2087069 +- Allow insights-client create and use unix_dgram_socket +Resolves: rhbz#2087069 - Label more vdsm utils with virtd_exec_t -Resolves: rhbz#2095184 +Resolves: rhbz#2063871 +- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t +Resolves: rhbz#2063871 +- Allow sblim-gatherd the kill capability +Resolves: rhbz#2082677 +- Allow privoxy execmem +Resolves: rhbz#2083940 + +* Wed May 04 2022 Zdenek Pytela - 3.14.3-98 +- Allow sysadm user execute init scripts with a transition +Resolves: rhbz#2039662 +- Change invalid type redisd_t to redis_t in redis_stream_connect() +Resolves: rhbz#1897517 +- Allow php-fpm write access to /var/run/redis/redis.sock +Resolves: rhbz#1897517 +- Allow sssd read systemd-resolved runtime directory +Resolves: rhbz#2060721 +- Allow postfix stream connect to cyrus through runtime socket +Resolves: rhbz#2066005 +- Allow insights-client create_socket_perms for tcp/udp sockets +Resolves: rhbz#2073395 +- Allow insights-client read rhnsd config files +Resolves: rhbz#2073395 +- Allow sblim-sfcbd connect to sblim-reposd stream +Resolves: rhbz#2075810 +- Allow rngd drop privileges via setuid/setgid/setcap +Resolves: rhbz#2076641 +- Allow rngd_t domain to use nsswitch +Resolves: rhbz#2076641 + +* Fri Apr 22 2022 Nikola Knazekova - 3.14.3-97 +- Create macro corenet_icmp_bind_generic_node() +Resolves: rhbz#2070870 +- Allow traceroute_t and ping_t to bind generic nodes. +Resolves: rhbz#2070870 +- Allow administrative users the bpf capability +Resolves: rhbz#2070983 +- Allow insights-client search rhnsd configuration directory +Resolves: rhbz#2073395 +- Allow ntlm_auth read the network state information +Resolves: rhbz#2073349 +- Allow keepalived setsched and sys_nice +Resolves: rhbz#2008033 +- Revert "Allow administrative users the bpf capability" +Resolves: rhbz#2070983 + + +* Thu Apr 07 2022 Zdenek Pytela - 3.14.3-96 +- Add interface rpc_manage_exports +Resolves: rhbz#2062183 +- Allow sshd read filesystem sysctl files +Resolves: rhbz#2061403 +- Update targetd nfs & lvm +Resolves: rhbz#2062183 +- Allow dhcpd_t domain to read network sysctls. +Resolves: rhbz#2059509 +- Allow chronyd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2065313 +- Allow fenced read kerberos key tables +Resolves: rhbz#1964839 * Thu Mar 24 2022 Zdenek Pytela - 3.14.3-95 - Allow hostapd talk with unconfined user over unix domain dgram socket -Resolves: rhbz#2064284 +Resolves: rhbz#2068007 * Thu Mar 10 2022 Nikola Knazekova nknazeko@redhat.com - 3.14.3-94 - Allow chronyd send a message to sosreport over datagram socket - Allow systemd-logind dbus chat with sosreport -Resolves: rhbz#1949493 +Resolves: rhbz#2062607 * Thu Feb 24 2022 Zdenek Pytela - 3.14.3-93 - Allow systemd-networkd dbus chat with sosreport