From 35bcefb9e1a3ec0dae44f21fa3c023ee45d0e215 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 18 Jul 2018 17:37:07 +0200 Subject: [PATCH] * Wed Jul 18 2018 Lukas Vrabec - 3.14.2-28 - Allow cupsd_t domain to mmap cupsd_etc_t files - Allow kadmind_t domain to mmap krb5kdc_principal_t - Allow virtlogd_t domain to read virt_etc_t link files - Allow dirsrv_t domain to read crack db - Dontaudit pegasus_t to require sys_admin capability - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files - Allow winbind_t domain to request kernel module loads - Allow tomcat_domain to read cgroup_t files - Allow varnishlog_t domain to mmap varnishd_var_lib_t files - Allow innd_t domain to mmap news_spool_t files - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t - Allow fenced_t domain to reboot - Allow amanda_t domain to read network system state - Allow abrt_t domain to read rhsmcertd logs - Fix typo in radius policy - Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) - Label /usr/bin/esmtp-wrapper as sendmail_exec_t - Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files - Dontaudit thumb to read mmap_min_addr - Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) - Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) - Allow collectd_t domain to use ecryptfs files BZ(1592640) - Dontaudit mmap home type files for abrt_t domain - Allow fprintd_t domain creating own tmp files BZ(1590686) - Allow collectd_t domain to bind on bacula_port_t BZ(1590830) - Allow fail2ban_t domain to getpgid BZ(1591421) - Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) - Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap - Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) - Allow virt_qemu_ga_t domain to read network state BZ(1592145) - Allow radiusd_t domain to mmap radius_etc_rw_t files - Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files - Allow chronyc_t domain to use nscd shm - Label /var/lib/tomcats dir as tomcat_var_lib_t --- .gitignore | 2 + selinux-policy.spec | 90 +++++++++++++++++++++++++++++++++++++++++++-- sources | 6 +-- 3 files changed, 92 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index c67e112f..05455f14 100644 --- a/.gitignore +++ b/.gitignore @@ -296,3 +296,5 @@ serefpolicy* /selinux-policy-contrib-494e26e.tar.gz /selinux-policy-2248854.tar.gz /selinux-policy-contrib-23a0603.tar.gz +/selinux-policy-d616286.tar.gz +/selinux-policy-contrib-bfc11d6.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 1973c215..c39cc7c1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 2248854aed6cf995e0e8b461faf88c4f68476dbb +%global commit0 d61628691715136c744f049f4d61aeeec3c0d9fa %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 23a0603743df50bbb47221cc79ecda5a522bb622 +%global commit1 bfc11d6bd418bc719015ea876365d2f894e18499 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -709,6 +709,90 @@ exit 0 %endif %changelog +* Wed Jul 18 2018 Lukas Vrabec - 3.14.2-28 +- Allow cupsd_t domain to mmap cupsd_etc_t files +- Allow kadmind_t domain to mmap krb5kdc_principal_t +- Allow virtlogd_t domain to read virt_etc_t link files +- Allow dirsrv_t domain to read crack db +- Dontaudit pegasus_t to require sys_admin capability +- Allow mysqld_t domain to exec mysqld_exec_t binary files +- Allow abrt_t odmain to read rhsmcertd lib files +- Allow winbind_t domain to request kernel module loads +- Allow tomcat_domain to read cgroup_t files +- Allow varnishlog_t domain to mmap varnishd_var_lib_t files +- Allow innd_t domain to mmap news_spool_t files +- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t +- Allow fenced_t domain to reboot +- Allow amanda_t domain to read network system state +- Allow abrt_t domain to read rhsmcertd logs +- Fix typo in radius policy +- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) +- Label /usr/bin/esmtp-wrapper as sendmail_exec_t +- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files +- Dontaudit thumb to read mmap_min_addr +- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) +- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) +- Allow collectd_t domain to use ecryptfs files BZ(1592640) +- Dontaudit mmap home type files for abrt_t domain +- Allow fprintd_t domain creating own tmp files BZ(1590686) +- Allow collectd_t domain to bind on bacula_port_t BZ(1590830) +- Allow fail2ban_t domain to getpgid BZ(1591421) +- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) +- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap +- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) +- Allow virt_qemu_ga_t domain to read network state BZ(1592145) +- Allow radiusd_t domain to mmap radius_etc_rw_t files +- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) +- Add dac_read_search capability to thumb_t domain +- Add dac_override capability to cups_pdf_t domain BZ(1594271) +- Add net_admin capability to connntrackd_t domain BZ(1594221) +- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) +- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) +- Allow motion_t to mmap video devices BZ(1590446) +- Add dac_override capability to mpd_t domain BZ(1585358) +- Allow fsdaemon_t domain to write to mta home files BZ(1588212) +- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) +- Allow sssd_t domain to write to general cert files BZ(1589339) +- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) +- Allow cockpit_session_t to read kernel network state BZ(1596941) +- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) +- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files +- Allow chronyc_t domain to use nscd shm +- Label /var/lib/tomcats dir as tomcat_var_lib_t +- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files +- Add ibacm policy +- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t +- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t +- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled +- Allow userdomain sudo domains to use generic ptys +- Allow systemd labeled as init_t to get sysvipc info BZ(1600877) +- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690) +- Remove duplicated userdom_delete_user_home_content_files +- Merge pull request #216 from rhatdan/resolved +- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812) +- Add new interface init_prog_run_bpf() +- Allow unconfined and sysadm users to use bpftool BZ(1591440) +- Label /run/cockpit/motd as etc_t BZ(1584167) +- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets +- Add interface userdom_dontaudit_mmap_user_home_content_files() +- Allow systemd to listen bluetooth sockets BZ(1592223) +- Allow systemd to remove user_home_t files BZ(1418463) +- Allow xdm_t domain to mmap and read cert_t files BZ(1553761) +- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655) +- Allow systemd to delete user temp files BZ(1595189) +- Allow systemd to mounton core kernel interface +- Add dac_override capability to ipsec_t domain BZ(1589534) +- Allow systemd domain to mmap lvm config files BZ(1594584) +- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files +- Allows systemd to get attribues of core kernel interface BZ(1596928) +- Allow systemd_modules_load_t to access unabeled infiniband pkeys +- Add systemd_dbus_chat_resolved interface +- Allow init_t domain to create netlink rdma sockets for ibacm policy +- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files +- Allow lvm_t domain to write files to all mls levels +- Add to su_role_template allow rule for creating netlink_selinux sockets + + * Sat Jul 14 2018 Fedora Release Engineering - 3.14.2-27 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index ff11d72a..f1f5831b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-2248854.tar.gz) = a31e440d30a9cde54352845dc1d0b0ccd218119eaaf3bd0434ac2faa4b8703bd0214b7c79464182390f3770534aa8d8b63d2564b62634a676047010058e1616c -SHA512 (selinux-policy-contrib-23a0603.tar.gz) = 9ddbdfb70f85844949bf3711bc6273b645428792ca7378385b8c3b3930142917d8d95a58408f07b00508ed123b3cc91dbfe590931b3ce1c71598499c05a2a688 -SHA512 (container-selinux.tgz) = a12ff217b28203b42fa1a438bd96a6d2ac54bc621bd30c4113007f1a6d687e63446d0a9c191a1bb5bc6e75dc875f8c5caf817c00fe8e04416138581deb3abf12 +SHA512 (container-selinux.tgz) = c7a65ac9b50b465201c405fdac721e2b92e6bfded2c49a9027e1df6fb036730113fbdfa5cce8394fe73e6f0eff371e5bbf4b0e1535b2311b8627696669485ba3 +SHA512 (selinux-policy-d616286.tar.gz) = 2e318cb95da9501b64a46488b9561fea4d7399a5167dc0f78a45876ab450a702e4c2eea6270dd9221ce38bfa205f0394f1eda776219e8b8297828ff5290d868f +SHA512 (selinux-policy-contrib-bfc11d6.tar.gz) = 7d9e256113afb862de2eac4a4594f08e7f91a0455db1106756cec20546e8404b8d235c3b0a15b48f46348a9492de282521143a1ecf84a79a037e19476f6ad3f1