From 318acc95107d0c0b63075da07836b6674903deec Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 6 Jun 2018 10:25:52 +0200 Subject: [PATCH] * Wed Jun 06 2018 Lukas Vrabec - 3.14.2-22 - Fix typo in authconfig policy - Update ctdb domain to support gNFS setup - Allow authconfig_t dbus chat with policykit - Allow lircd_t domain to read system state - Revert "Allow fsdaemon_t do send emails BZ(1582701)" - Typo in uuidd policy - Allow tangd_t domain read certs - Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) - Allow vpnc_t domain to read generic certs BZ(1583100) - Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) - Allow NetworkManager_ssh_t domain to be system dbud client - Allow virt_qemu_ga_t read utmp - Add capability dac_override to system_mail_t domain - Update uuidd policy to reflect last changes from base branch - Add cap dac_override to procmail_t domain - Allow sendmail to mmap etc_aliases_t files BZ(1578569) - Add new interface dbus_read_pid_sock_files() - Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled - Allow fsdaemon_t do send emails BZ(1582701) - Allow firewalld_t domain to request kernel module BZ(1573501) - Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) - Add sys_admin capability to fprint_t SELinux domain - Allow cyrus_t domain to create own files under /var/run BZ(1582885) - Allow cachefiles_kernel_t domain to have capability dac_override - Update policy for ypserv_t domain - Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t - Allow cyrus to have dac_override capability - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets - Fix homedir polyinstantion under mls - Fixed typo in init.if file - Allow systemd to remove generic tmpt files BZ(1583144) - Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation - Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) - Fix typo in authlogin SELinux security module - Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) - Allow audisp_t domain to mmap audisp_exec_t binary - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file - Label tcp/udp ports 2612 as qpasa_agetn_port_t --- .gitignore | 2 ++ selinux-policy.spec | 46 ++++++++++++++++++++++++++++++++++++++++++--- sources | 6 +++--- 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 08d9773f..19e606eb 100644 --- a/.gitignore +++ b/.gitignore @@ -287,3 +287,5 @@ serefpolicy* /selinux-policy-contrib-12d91da.tar.gz /selinux-policy-contrib-6cf567f.tar.gz /selinux-policy-a1ec13e.tar.gz +/selinux-policy-contrib-93edf9a.tar.gz +/selinux-policy-d06c960.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 0fcf1ceb..671d5ff5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 a1ec13e6114be5f88449a3f7e87468ca5f36ead5 +%global commit0 d06c960c55dcf093800123327a58c4adf3ffe3dd %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 6cf567fea24b91d5a6a82e37e66a0c01548846b2 +%global commit1 93edf9a38fec7dac9845cb7d5630b4ae931e36f7 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,46 @@ exit 0 %endif %changelog +* Wed Jun 06 2018 Lukas Vrabec - 3.14.2-22 +- Fix typo in authconfig policy +- Update ctdb domain to support gNFS setup +- Allow authconfig_t dbus chat with policykit +- Allow lircd_t domain to read system state +- Revert "Allow fsdaemon_t do send emails BZ(1582701)" +- Typo in uuidd policy +- Allow tangd_t domain read certs +- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) +- Allow vpnc_t domain to read generic certs BZ(1583100) +- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) +- Allow NetworkManager_ssh_t domain to be system dbud client +- Allow virt_qemu_ga_t read utmp +- Add capability dac_override to system_mail_t domain +- Update uuidd policy to reflect last changes from base branch +- Add cap dac_override to procmail_t domain +- Allow sendmail to mmap etc_aliases_t files BZ(1578569) +- Add new interface dbus_read_pid_sock_files() +- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled +- Allow fsdaemon_t do send emails BZ(1582701) +- Allow firewalld_t domain to request kernel module BZ(1573501) +- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) +- Add sys_admin capability to fprint_t SELinux domain +- Allow cyrus_t domain to create own files under /var/run BZ(1582885) +- Allow cachefiles_kernel_t domain to have capability dac_override +- Update policy for ypserv_t domain +- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t +- Allow cyrus to have dac_override capability +- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets +- Fix homedir polyinstantion under mls +- Fixed typo in init.if file +- Allow systemd to remove generic tmpt files BZ(1583144) +- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation +- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) +- Fix typo in authlogin SELinux security module +- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) +- Allow audisp_t domain to mmap audisp_exec_t binary +- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file +- Label tcp/udp ports 2612 as qpasa_agetn_port_t + * Sat May 26 2018 Lukas Vrabec - 3.14.2-21 - Add dac_override to exim policy BZ(1574303) - Fix typo in conntrackd.fc file diff --git a/sources b/sources index 027f9e2e..db51a23d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-6cf567f.tar.gz) = 46f21dd2d17f314e6beb2197ba80139c4fa2d468e9f60caeb99200a943e62435b8567f4134fcf15674d9544382cd48c7befc82a91360f5123533bab22dd14d26 -SHA512 (selinux-policy-a1ec13e.tar.gz) = 1dfc5fa9345f39d0815f6450951fd6925b2f1a3df091193c259545218197b3f31cdff033d0e2c9a2f61de387c1deb3cac1573b17ec43c313ba4520c3ed5f71af -SHA512 (container-selinux.tgz) = 25c6d9a075212c43a7895e858d6466e5b3a9658753efd06096442481d285ef7ed7e4cd1bad39d9fb9f0c4e44253c10c513880e6f75a717c335d1fdfbbb3f91b3 +SHA512 (selinux-policy-contrib-93edf9a.tar.gz) = dcbcbe679f779d594625ba1e25ae346e6854274ee4ca297f2e94b216352b054bcd98364792f048f638f38abc4e436bf400e38d634a43dc322f5c65129e18a782 +SHA512 (selinux-policy-d06c960.tar.gz) = 80671384c85c91b920ad792b290843986b5ba495416de49cf94535bdba28b3dfe237a925116767dd7e781f76df44168788217169f03648ea82f37aa586395a38 +SHA512 (container-selinux.tgz) = f841e4e02294f0c12bbb81bc463ba8129154f5fdb18b9ad7fe254e86b6668dca069991dd3c3b3b8a20ef072fcd018750fbf8f5399a1a221b427bd92268d0b243