rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import selinux-policy-3.14.3-79.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-06 07:17:05 -04:00 committed by Stepan Oksanichenko
parent dca2cf68db
commit 410c78c03b
5 changed files with 224 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/container-selinux.tgz SOURCES/container-selinux.tgz
SOURCES/selinux-policy-33fd484.tar.gz SOURCES/selinux-policy-8f56f63.tar.gz
SOURCES/selinux-policy-contrib-4beb213.tar.gz SOURCES/selinux-policy-contrib-2a53cd0.tar.gz

6
.selinux-policy.metadata
View File

@ -1,3 +1,3 @@
99c5dc0dbb5f824b2cc29d18e8911401677e0bb1 SOURCES/container-selinux.tgz 0d1a0214195d9519327846c21d7ac90b7da218c1 SOURCES/container-selinux.tgz
4da13e377b1e178962423475a04832ed39581394 SOURCES/selinux-policy-33fd484.tar.gz 672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz
45d3dbd0265f43953376baacdbc070a566eb429b SOURCES/selinux-policy-contrib-4beb213.tar.gz 6e84adfa8c88519a3c24f6f8426d59868bcd6050 SOURCES/selinux-policy-contrib-2a53cd0.tar.gz

1
SOURCES/file_contexts.subs_dist
View File

@ -17,3 +17,4 @@
/var/roothome /root /var/roothome /root
/sbin /usr/sbin /sbin /usr/sbin
/sysroot/tmp /tmp /sysroot/tmp /tmp
/var/usrlocal /usr/local

9
SOURCES/modules-targeted-contrib.conf
View File

@ -720,13 +720,6 @@ git = module
# #
glance = module glance = module
# Layer: contrib
# Module: glusterd
#
# policy for glusterd service
#
glusterd = module
# Layer: apps # Layer: apps
# Module: gnome # Module: gnome
# #
@ -2012,7 +2005,7 @@ timidity = off
tmpreaper = module tmpreaper = module
# Layer: contrib # Layer: contrib
# Module: glusterd # Module: tomcat
# #
# policy for tomcat service # policy for tomcat service
# #

220
SPECS/selinux-policy.spec
View File

@ -1,11 +1,11 @@
# github repo with selinux-policy base sources # github repo with selinux-policy base sources
%global git0 https://github.com/fedora-selinux/selinux-policy %global git0 https://github.com/fedora-selinux/selinux-policy
%global commit0 33fd4847deb2522105cfba82da5efb707025934c %global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# github repo with selinux-policy contrib sources # github repo with selinux-policy contrib sources
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
%global commit1 4beb213356f6020d4ea6635dda6842cef88fb357 %global commit1 2a53cd02bd0d06568ecc549b15321f658d00babd
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%define distro redhat %define distro redhat
@ -29,7 +29,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.14.3 Version: 3.14.3
Release: 65%{?dist} Release: 79%{?dist}
License: GPLv2+ License: GPLv2+
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -715,6 +715,220 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
- Introduce xdm_manage_bootloader booelan
Resolves: rhbz#1994096
- Rename samba_exec() to samba_exec_net()
Resolves: rhbz#1855215
- Allow sssd to set samba setting
Resolves: rhbz#1855215
- Allow dirsrv read slapd tmpfs files
Resolves: rhbz#1843238
- Allow rhsmcertd to create cache file in /var/cache/cloud-what
Resolves: rhbz#1994718
* Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-78
- Label /usr/bin/Xwayland with xserver_exec_t
Resolves: rhbz#1984584
- Label /usr/libexec/gdm-runtime-config with xdm_exec_t
Resolves: rhbz#1984584
- Allow D-bus communication between avahi and sosreport
Resolves: rhbz#1916397
- Allow lldpad send to kdumpctl over a unix dgram socket
Resolves: rhbz#1979121
- Revert "Allow lldpad send to kdump over a unix dgram socket"
Resolves: rhbz#1979121
- Allow chronyc respond to a user chronyd instance
Resolves: rhbz#1993104
- Allow ptp4l respond to pmc
Resolves: rhbz#1993104
- Allow lldpad send to unconfined_t over a unix dgram socket
Resolves: rhbz#1993270
* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-77
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
Resolves: rhbz#1887739
- Allow sysadm to read/write scsi files and manage shadow
Resolves: rhbz#1956302
- Allow rhsmcertd execute gpg
Resolves: rhbz#1887572
- Allow lldpad send to kdump over a unix dgram socket
Resolves: rhbz#1979121
- Remove glusterd SELinux module from distribution policy
Resolves: rhbz#1816718
* Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-76
- Allow login_userdomain read and map /var/lib/systemd files
Resolves: rhbz#1965251
- Allow sysadm acces to kernel module resources
Resolves: rhbz#1965251
- Allow sysadm to read/write scsi files and manage shadow
Resolves: rhbz#1965251
- Allow sysadm access to files_unconfined and bind rpc ports
Resolves: rhbz#1965251
- Allow sysadm read and view kernel keyrings
Resolves: rhbz#1965251
- Allow bootloader to read tuned etc files
Resolves: rhbz#1965251
- Update the policy for systemd-journal-upload
Resolves: rhbz#1913414
- Allow journal mmap and read var lib files
Resolves: rhbz#1965251
- Allow tuned to read rhsmcertd config files
Resolves: rhbz#1965251
- Allow bootloader to read tuned etc files
Resolves: rhbz#1965251
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
Resolves: rhbz#1846081
- Allow virtlogd_t read process state of user domains
Resolves: rhbz#1797899
- Allow cockpit_ws_t get attributes of fs_t filesystems
Resolves: rhbz#1979182
* Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-75
- Add the unconfined_dgram_send() interface
Resolves: rhbz#1978562
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
Resolves: rhbz#1936522
- Add checkpoint_restore cap2 capability
Resolves: rhbz#1973325
- Allow fcoemon talk with unconfined user over unix domain datagram socket
Resolves: rhbz#1978562
- Allow hostapd bind UDP sockets to the dhcpd port
Resolves: rhbz#1977676
- Allow NetworkManager read and write z90crypt device
Resolves: rhbz#1938203
- Allow abrt_domain read and write z90crypt device
Resolves: rhbz#1938203
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
Resolves: rhbz#1937111
- Allow mdadm read iscsi pid files
Resolves: rhbz#1924716
* Fri Jul 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-74
- Allow dyntransition from sshd_t to unconfined_t
Resolves: rhbz#1947841
* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-73
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
Resolves: rhbz#1947841
- Allow transition from xdm domain to unconfined_t domain.
Resolves: rhbz#1947841
- Allow nftables read NetworkManager unnamed pipes
Resolves: rhbz#1967857
- Create a policy for systemd-journal-upload
Resolves: rhbz#1913414
- Add dev_getattr_infiniband_dev() interface.
Resolves: rhbz#1972522
- Allow tcpdump and nmap get attributes of infiniband_device_t
Resolves: rhbz#1972522
- Allow fcoemon create sysfs files
Resolves: rhbz#1978562
- Allow nftables read NetworkManager unnamed pipes
Resolves: rhbz#1967857
- Allow radius map its library files
Resolves: rhbz#1854650
- Allow arpwatch get attributes of infiniband_device_t devices
Resolves: rhbz#1936522
* Tue Jun 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-72
- Allow systemd-sleep get attributes of fixed disk device nodes
Resolves: rhbz#1931460
- Allow systemd-sleep create hardware state information files
Resolves: rhbz#1968610
- virtiofs supports Xattrs and SELinux
Resolves: rhbz#1899703
- Label 4460/tcp port as ntske_port_t
Resolves: rhbz#1961207
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
Resolves: rhbz#1961207
- Allow chronyd_t to accept and make NTS-KE connections
Resolves: rhbz#1961207
- Dontaudit NetworkManager write to initrc_tmp_t pipes
Resolves: rhbz#1963162
- Allow logrotate rotate container log files
Resolves: rhbz#1892170
- Allow rhsmd read process state of all domains and kernel threads
Resolves: rhbz#1878020
* Tue Jun 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-71
- Allow nmap create and use rdma socket
Resolves: rhbz#1844530
- Label /.k5identity file allow read of this file to rpc.gssd
Resolves: rhbz#1951093
- Label /var/lib/kdump with kdump_var_lib_t
Resolves: rhbz#1965985
- Label /run/libvirt/common with virt_common_var_run_t
Resolves: rhbz#1966842
* Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-70
- Allow using opencryptoki for ipsec
Resolves: rhbz#1894132
- Remove all kernel_getattr_proc() interface calls
Resolves: rhbz#1967125
- Allow domain stat /proc filesystem
Resolves: rhbz#1967125
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
Resolves: rhbz#1969725
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
Resolves: rhbz#1894132
- Allow using opencryptoki for certmonger
Resolves: rhbz#1894132
- install_t: Allow NoNewPriv transition from systemd
Resolves: rhbz#1955547
- Remove all kernel_getattr_proc() interface calls
Resolves: rhbz#1967125
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
Resolves: rhbz#1966133
* Wed Jun 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-69
- Add /var/usrlocal equivalency rule
Resolves: rhbz#1943381
- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
Resolves: rhbz#1943381
- Label /dev/trng with random_device_t
Resolves: rhbz#1934483
- Allow systemd-sleep transition to sysstat_t
Resolves: rhbz#1927551
- Allow systemd-sleep transition to tlp_t
Resolves: rhbz#1927551
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
Resolves: rhbz#1927551
- Allow systemd-sleep execute generic programs
Resolves: rhbz#1948070
- Allow systemd-sleep execute shell
Resolves: rhbz#1954358
- Allow nsswitch_domain read init pid lnk_files
Resolves: rhbz#1860924
- Introduce logging_syslogd_list_non_security_dirs tunable
Resolves: rhbz#1823669
- Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_t
Resolves: rhbz#1927551
- Change param description in cron interfaces to userdomain_prefix
Resolves: rhbz#1801249
- Add missing declaration in rpm_named_filetrans()
Resolves: rhbz#1801249
* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-68
- Allow pluto IKEv2 / ESP over TCP
Resolves: rhbz#1931848
- Label SDC(scini) Dell Driver
Resolves: rhbz#1936882
- Add file context specification for /var/tmp/tmp-inst
Resolves: rhbz#1919253
- Allow virtlogd_t to create virt_var_lockd_t dir
Resolves: rhbz#1941464
- Allow cups-lpd read its private runtime socket files
Resolves: rhbz#1919399
* Mon Mar 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-67
- Allow systemd the audit_control capability conditionally
Resolves: rhbz#1861771
* Thu Mar 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-66
- Disallow user_t run su/sudo and staff_t run su
Resolves: rhbz#1907517
* Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65 * Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Relabel /usr/sbin/charon-systemd as ipsec_exec_t
Resolves: rhbz#1889542 Resolves: rhbz#1889542