* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12

- Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 12:59:34 +01:00 · 2019-11-03 12:59:34 +01:00 · 4faaca1916
parent 0c284fe6fc
commit 4faaca1916
3 changed files with 29 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -416,3 +416,5 @@ serefpolicy*
 /selinux-policy-c95997f.tar.gz
 /selinux-policy-contrib-6b3a800.tar.gz
 /selinux-policy-7b7648b.tar.gz
+/selinux-policy-contrib-dee19b8.tar.gz
+/selinux-policy-40f6bcc.tar.gz
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 7b7648b9040e7af3c95047f562b151b712757fab
+%global commit0 40f6bccc38526717eb8ff2032d3c915bc77ad3d1
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 6b3a80044b76f0aaf7b3dd09c4651dd37fa26db9
+%global commit1 dee19b8b41fcf9ca57e9e019b30b112a7546c030
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.5
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -787,6 +787,27 @@ exit 0
 %endif

 %changelog
+* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
+- Label /var/cache/nginx as httpd_cache_t
+- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
+- Created dnsmasq_use_ipset boolean
+- Allow capability dac_override in logwatch_mail_t domain
+- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
+- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
+- Allow collectd_t domain to create netlink_generic_socket sockets
+- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
+- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
+- Label /etc/postfix/chroot-update as postfix_exec_t
+- Update tmpreaper_t policy due to fuser command
+- Allow kdump_t domain to create netlink_route and udp sockets
+- Allow stratisd to connect to dbus
+- Allow fail2ban_t domain to create netlink netfilter sockets.
+- Allow dovecot get filesystem quotas
+- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
+- Allow systemd-tmpfiles processes to set rlimit information
+- Allow cephfs to use xattrs for storing contexts
+- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
+
 * Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
 - Allow confined users to run newaliases
 - Add interface mysql_dontaudit_rw_db()
--- a/6
+++ b/6
@ -1,4 +1,4 @@
-SHA512 (selinux-policy-contrib-6b3a800.tar.gz) = 9b3e196ebba79b2cb8b9d6a6e967624a32a03f8212852c8924aa9cd3d224b4556f5c3da6a3edaf213a706c23621eaa6d1bdfc0182439a33abf70518861fe91ba
-SHA512 (selinux-policy-7b7648b.tar.gz) = 968c3c226063a8de950809c06fdd3661e07f9b5cb8124614d65303546e47d65556b585d545fa041c34dee28eea429092821703bc0395f52d3ce11f778e3aa0f2
-SHA512 (container-selinux.tgz) = a263a723da828dd48f2d801f6710ecedc83223d7ecb1650b9ff1eac755326d871f0648a2bc2bc1643e0a4141b04b90c96b60863ead7130324dac5849985adca4
+SHA512 (selinux-policy-contrib-dee19b8.tar.gz) = dc7f4e9f11b00548505f698d4993dcd66229b60afdd7c558aef391bb9ff90a4a9ae6fa8a62c9f565e2cc131e0dc6e8341998af3b9728d360de59c68737eb5183
+SHA512 (selinux-policy-40f6bcc.tar.gz) = b82310184959b36cd2a6de960913994b1ebf63c36d95a7b2de14f3cdf6feb2df1f215900925957b6a47a5be2f7ff9dc41fff4e9b6db3a82c683eca8e73f9c322
 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
+SHA512 (container-selinux.tgz) = 7a0d3e5c47fd1c856b63ed5aa9eba1f553fcd4afa941cf66a61876032dbb53d4dcfd58fff105251b2d8c34e6e47c086815b4bd31f363b1eaa73192c1c5f3dab9